Re: $HOME/.local/bin in $PATH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2013 09:03 PM, Chris Adams wrote:
> Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said:
>> [root@srv-rhsoft:~]$ mkdir test i could rm -rf ~/ here
>> 
>> [root@srv-rhsoft:~]$ cat /usr/local/bin/mkdir #!/bin/bash echo "i could
>> rm -rf ~/ here"
> 
> If I can write to files you own, it doesn't matter if there's a directory
> in the PATH or not.  I can write this to your .bash_profile:
> 
> /bin/mkdir $HOME/.bin 2> /dev/null echo 'echo "i could rm -rf ~/ here"' >
> $HOME/.bin/mkdir chmod +x $HOME/.bin/mkdir PATH=$HOME/.bin:$PATH
> 
> Sure, it might not take effect immediately, but that's probably not the 
> point (I can't depend on you running "mkdir" in a shell at any particular
> point in time anyway).  You wouldn't gain anything security-wise by
> excluding a user-writable directory in PATH.
> 
> In fact, having a "known" ~/.local/bin could allow for a more restrictive
> SELinux policy on that directory that doesn't let arbitrary programs
> running as the user write there (don't know if that is the case though).
> 
 matchpathcon /home/dwalsh/bin /home/dwalsh/.local/bin
/home/dwalsh/bin	staff_u:object_r:home_bin_t:s0
/home/dwalsh/.local/bin	staff_u:object_r:home_bin_t:s0


We are doing this in some form, although more towards, the only files in the
users homedir is allowed to execute is in the home_bin_t directory.

We do try to block confined apps from writing to user_home_t which is most
files in ~ and also home_bin_t.

The only reference to home_bin_t on the target right now is the following.

 sesearch -A -t home_bin_t -c file | grep home_bin_t
   allow postfix_local_t home_bin_t : file { ioctl read getattr execute
execute_no_trans open } ;
   allow procmail_t home_bin_t : file { ioctl read getattr execute
execute_no_trans open } ;

Of course lots of user domains and unconfined domains are allowed to write to
home_bin_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJxHH0ACgkQrlYvE4MpobOjDwCfaMO1bL17awLmc+F+DbWv44it
IEwAmgKT5WIdNege1rE+IS8ISXGLJlca
=Fc9n
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux