* Thomas Bleher <bleher@xxxxxxxxxxxxxxxxxxxxxxxxxx> [2006-05-12 20:22]: > * Martin Ebourne <lists@xxxxxxxxxxxxx> [2006-05-12 17:19]: > > On Fri, 2006-05-12 at 15:46 +0200, Marten Lehmann wrote: > > > > If the quota limits need to be as strict as your first message indicates, then > > > > I'm surprised you haven't already had /tmp/ on a separate filesystem, with > > > > separate quotas set. Additionally, I always split off /tmp/ so *if* it > > > > fills, it doesn't "damage" my root filesystem. > > > > > > Actually, /home is not part of the root-partition and /tmp could be a > > > symlink to /home/tmp so both can use the some quota definitions. But how > > > can I setup a system-wide policy that disallows to execute files from > > > /tmp or /home/tmp? > > > > That sounds like a very hard way of doing things. And difficult to prove > > correct too. > > > > How about: > > > > mkdir /home/tmp > > mount -o bind,noexec,nosuid /home/tmp /tmp > > I don't think this will work. I just tried to do it and I could still > execute files in the mounted dir. I thought that per-mountpoint noexec > flags were in the kernel, but I can't find any definitive information on > it and fs/namespace.c is not the best information source either. (Anyone > knows why this doesn't work? It would be really neat.) Umm, this mailing list post explains it: http://www.cs.helsinki.fi/linux/linux-kernel/2001-41/0082.html (plus followup from Al Viro). Mount seems really broken in this regard as it reports the noexec flags in /etc/mtab. > The other issue here is that the user still can execute files through > /home/tmp. So you should --move the dir instead of bind-mounting it. There's another issue here: You can't mount --move a directory that is not a mountpoint. So if you want to guard against people accessing /home/tmp directly, either move it to /home/secure/tmp and bind-mount it from there (where /home/secure is mode 0000), or bind mount /home/tmp over itself. That means a fully working solution looks something like this: $ mount --bind /home/tmp/ /home/tmp/ $ mount -o remount,noexec /home/tmp/ $ mount --bind /home/tmp/ /tmp/ Lesson learnt here: Test to see if you actually protect against your threats. Thomas
Attachment:
signature.asc
Description: Digital signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
