Showing results for 
Search instead for 
Did you mean: 

Executable Denial Challenge

Michael Williams_6
Trusted Contributor

Executable Denial Challenge

Hello everybody!

I have a challenge for you!!

I am in the middle of a project to replace our aging SCO homes NFS share with a clustered Linux Solution.

All the objectives are complete except one, and I have no idea how to do this!

We have a requirement to deny users executable access for any binary programs on the NFS fileshare, yet allow executable access to viewable shell scripts.

i.e. if a user has a script with #!/bin/[k,ba]sh, then this will be allowed to be executed over the NFS fileshare, however if they have a binary application, this must be denied, even if the file has execute permissions applied.

We're running our NFS Fileshare on a SLES9 server, which has the 2.6 kernel. At present the only thing I can think of is scripting something to identify any executable files that don't contain that line at the top, and changing the permissions, but I'd prefer a solution that simply provides you with permission denied straight away, even if you compile it there and then. Does anyone have any ingenious ways to do this?

Kind Regards,

Claudio Cilloni
Honored Contributor

Re: Executable Denial Challenge

It is possible to mount a file system that does not allow execution of any binary file it contains (-o noexec option, see mount man page). Maybe this option can be used even with NFS.

Then the users can run scripts calling directly the interpreter:

$ /bin/bash

Hope this helps...

Vitaly Karasik_1
Honored Contributor

Re: Executable Denial Challenge

you may just "hide" directories with binaries from users using permissions.
Thomas Bianco
Honored Contributor

Re: Executable Denial Challenge

i think claudio had it correct, noexec is your friend. i'm going to add that you might want to set that in /etc/exports as an export option, rather then depending on the client to mount it that way.

/misc/export (rw,sync,noexec)
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.