cancel
Showing results for 
Search instead for 
Did you mean: 

Executable Denial Challenge

Michael Williams_6
Trusted Contributor

Executable Denial Challenge

Hello everybody!

I have a challenge for you!!

I am in the middle of a project to replace our aging SCO homes NFS share with a clustered Linux Solution.

All the objectives are complete except one, and I have no idea how to do this!

We have a requirement to deny users executable access for any binary programs on the NFS fileshare, yet allow executable access to viewable shell scripts.

i.e. if a user has a script with #!/bin/[k,ba]sh, then this will be allowed to be executed over the NFS fileshare, however if they have a binary application, this must be denied, even if the file has execute permissions applied.

We're running our NFS Fileshare on a SLES9 server, which has the 2.6 kernel. At present the only thing I can think of is scripting something to identify any executable files that don't contain that line at the top, and changing the permissions, but I'd prefer a solution that simply provides you with permission denied straight away, even if you compile it there and then. Does anyone have any ingenious ways to do this?

Kind Regards,

Mike
3 REPLIES
Claudio Cilloni
Honored Contributor

Re: Executable Denial Challenge

It is possible to mount a file system that does not allow execution of any binary file it contains (-o noexec option, see mount man page). Maybe this option can be used even with NFS.

Then the users can run scripts calling directly the interpreter:

$ /bin/bash script.sh

Hope this helps...

Ciao
Claudio
Vitaly Karasik_1
Honored Contributor

Re: Executable Denial Challenge

you may just "hide" directories with binaries from users using permissions.
Thomas Bianco
Honored Contributor

Re: Executable Denial Challenge

i think claudio had it correct, noexec is your friend. i'm going to add that you might want to set that in /etc/exports as an export option, rather then depending on the client to mount it that way.

/misc/export myhost.mynet.org (rw,sync,noexec)
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.