On October 17, 2018 10:00:53 AM GMT+03:00, Thomas Mueller <thomas@xxxxxxxxxxxxxx> wrote: > > >On 10/16/2018 11:15 AM, Sheogorath wrote: >> Hi, >> >> it's mostly a question out of curiosity but maybe useful for some >people. >> >> I wonder if there is a way to prevent a direct piping from curl to >bash >> using SELinux. >> >> And of course one can download a file and then run bash on it, but a >> simple rule that prevents direct piping would at least give a heads >up >> about it. > >sounds not like something I would implement. And you don't give much >context to your situation. > >What do you like to prevent? Stop users with root-shells to execut >arbitary shell scripts obtained by curl? It's a common idiocy we (sysadmins) face in the web world: programmers need "something" and find a tutorial which instructs them to download some bundle which self-installs via the infamous mantra under discussion in this thread. Obviously preceded by a sudo (because why not ?) Wolfy _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
