- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Executable Denial Challenge
Operating System - Linux
1753915
Members
9096
Online
108810
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-06-2005 10:15 PM
тАО02-06-2005 10:15 PM
Executable Denial Challenge
Hello everybody!
I have a challenge for you!!
I am in the middle of a project to replace our aging SCO homes NFS share with a clustered Linux Solution.
All the objectives are complete except one, and I have no idea how to do this!
We have a requirement to deny users executable access for any binary programs on the NFS fileshare, yet allow executable access to viewable shell scripts.
i.e. if a user has a script with #!/bin/[k,ba]sh, then this will be allowed to be executed over the NFS fileshare, however if they have a binary application, this must be denied, even if the file has execute permissions applied.
We're running our NFS Fileshare on a SLES9 server, which has the 2.6 kernel. At present the only thing I can think of is scripting something to identify any executable files that don't contain that line at the top, and changing the permissions, but I'd prefer a solution that simply provides you with permission denied straight away, even if you compile it there and then. Does anyone have any ingenious ways to do this?
Kind Regards,
Mike
I have a challenge for you!!
I am in the middle of a project to replace our aging SCO homes NFS share with a clustered Linux Solution.
All the objectives are complete except one, and I have no idea how to do this!
We have a requirement to deny users executable access for any binary programs on the NFS fileshare, yet allow executable access to viewable shell scripts.
i.e. if a user has a script with #!/bin/[k,ba]sh, then this will be allowed to be executed over the NFS fileshare, however if they have a binary application, this must be denied, even if the file has execute permissions applied.
We're running our NFS Fileshare on a SLES9 server, which has the 2.6 kernel. At present the only thing I can think of is scripting something to identify any executable files that don't contain that line at the top, and changing the permissions, but I'd prefer a solution that simply provides you with permission denied straight away, even if you compile it there and then. Does anyone have any ingenious ways to do this?
Kind Regards,
Mike
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-06-2005 11:40 PM
тАО02-06-2005 11:40 PM
Re: Executable Denial Challenge
It is possible to mount a file system that does not allow execution of any binary file it contains (-o noexec option, see mount man page). Maybe this option can be used even with NFS.
Then the users can run scripts calling directly the interpreter:
$ /bin/bash script.sh
Hope this helps...
Ciao
Claudio
Then the users can run scripts calling directly the interpreter:
$ /bin/bash script.sh
Hope this helps...
Ciao
Claudio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-06-2005 11:43 PM
тАО02-06-2005 11:43 PM
Re: Executable Denial Challenge
you may just "hide" directories with binaries from users using permissions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-08-2005 01:50 AM
тАО02-08-2005 01:50 AM
Re: Executable Denial Challenge
i think claudio had it correct, noexec is your friend. i'm going to add that you might want to set that in /etc/exports as an export option, rather then depending on the client to mount it that way.
/misc/export myhost.mynet.org (rw,sync,noexec)
/misc/export myhost.mynet.org (rw,sync,noexec)
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP