Well, to be honest, the next thing to learn in my plan was "how to set interpreters' apparmor profiles to prevent unwanted script execution from home and removable volumes" ;) I'm told that you can do that, so, even if I see some difficult (bash will ever need to read .bashrc and so on) I'm willing to try (I've done something similar with browsers and it made me learn a lot). Otherwise I'm bound to try selinux. ps: do you know how to set the pam profile to use some parameters? 2014-10-03 1:25 GMT+02:00 Michael Chang <thenewme91@xxxxxxxxx>: > Hmm... that doesn't prevent executing commands of the form "wget > '$URL' | /bin/bash" which are increasingly common. > > You could also set umask to prevent new files from having the execute > bit set, but with shell and script interpreters (bash, python, etc.) > I'm not sure how fruitful that will be. > > On Thu, Oct 2, 2014 at 4:21 PM, Wilson <wilson.ubuntu@xxxxxxxxx> wrote: >> Thanks for the immediate answer. >> >> My present goal is just to prevent automated or accidental execution >> of treacherous downloads while letting users to execute their own code >> if they really want (next step will be to give permission to mount FS >> to some users and not others), so the noexec parameter seemed the >> obvious way to do it (and for users with a not encrypted home it works >> fine). >> >> >> I'm using the standard "use a crypted home" by Ubuntu, so as far as I >> know I'm using the PAM module, I'm just unable to find out where to >> look to configure it (either globally or for a single user). >> >> I've the feeling that I'm missing something obvious, but I can't find it. >> >> Wilson >> >> 2014-10-03 0:56 GMT+02:00 Michael Chang <thenewme91@xxxxxxxxx>: >>> My gut feeling is you really want Apparmor or SELinux to restrict >>> execution, since users can just mount new filesystems wherever with >>> exec set (especially on a Desktop configuration with e.g. GNOME >>> installed). >>> >>> However, ecryptfs takes the "noexec" parameter at mount time, just >>> like most FUSE filesystems. You can test this by mounting it from the >>> command line and passing it as an option. Where you would set that so >>> that it always takes effect depends on how you're mounting the >>> directories... >>> >>> Michael Chang >>> >>> On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@xxxxxxxxx> wrote: >>>> My gut feeling is you really want Apparmor or SELinux to restrict execution, >>>> since users can just mount new filesystems wherever with exec set >>>> (especially on a Desktop configuration with e.g. GNOME installed). >>>> >>>> However, ecryptfs takes the "noexec" parameter at mount time, just like most >>>> FUSE filesystems. You can test this by mounting it from the command line and >>>> passing it as an option. Where you would set that so that it always takes >>>> effect depends on how you're mounting the directories... >>>> >>>> Michael Chang >>>> >>>> On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@xxxxxxxxx> wrote: >>>>> >>>>> Hi, >>>>> >>>>> is it possible to mount a ecryptfs home directory with mount >>>>> parameters such as noexec? >>>>> >>>>> I'm trying to build an hardened Ubuntu install (it's just an hobby for >>>>> learning something, noting professional) and I'm stuck trying to >>>>> prevent execution from home even for users with cyphered home. >>>>> >>>>> I'm mounting the whole /home with noexec in fstab, but cyphered home >>>>> are obviously unaffected and I'm unable to find a way to say to >>>>> ecryptfs to do so, can it be done? >>>>> >>>>> Thanks, >>>>> >>>>> Wilson >>>>> -- >>>>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in >>>>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>>> >>>> >>>> >>>> >>>> -- >>>> Michael Chang >>> >>> >>> >>> -- >>> Michael Chang >>> -- >>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in >>> the body of a message to majordomo@xxxxxxxxxxxxxxx >>> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > Michael Chang -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
