On Wed, Jan 25, 2023 at 01:49:09PM -0500, Murali Selvaraj wrote:
> profile sh_restriction /bin/sh flags=(attach_disconnected,complain) {
> /tmp/** r,
> }If a shell can read it, then a shell can execute it. The only real options I can think of: - prevent the shell from reading it - modify the shell to prevent it from executing anything it reads -- perhaps require shell scripts to be signed? Disable interactive use? Do you even need a shell installed on your computer? If you can remove system(3) and popen(3) calls from all your software, you might be able to remove the shell, too. Thanks
signature.asc
Description: PGP signature
