[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Execute a SSH command


Carlos E. R. wrote:
The Thursday 2004-06-24 at 17:33 +0200, Ingo Börnig wrote:

How do take care that the command cannot be executed by another user?

By chowning it to that user, for example, and giving it exec permision to owner only (u,x,g-x,o-x). Of course, root would still be able to run it.

That will not be sufficient, you have also to remove read permission for
all other users from that file, too:

iboernig@sauron:~/bin> ls -l ./pwd
-rw-r--r--    1 iboernig users       12436 2004-06-30 14:10 ./pwd
iboernig@sauron:~/bin> ./pwd
bash: ./pwd: Permission denied
iboernig@sauron:~/bin> /lib/ld-linux.so.2 ./pwd

Better use a chroot environment for this!

You could install it in /home/user/bin, for example, so that root would not accidentally run it. He could still run it intentionally, though.

Perhaps with acl - dunno about that.

Posix ACLs only give additional permissions, root is still allmighty!
There will be no way to prevent root to execute ana command.


Ingo Börnig <ingo at boernig.de>        /"\
                                         \ /    ASCII Ribbon Campaign
ask for phone or snail mail              X      against HTML email
                                         / \
GPG-Fingerprint: 2F8B DDFB F2A8 155A 206D  2969 F8FB 3C63 2033 BF32

Attachment: file:///home/iboernig/nsmail.tmp
Description: PGP signature

Attachment: pgpwq7RNCTV3l.pgp
Description: PGP signature