From owner-freebsd-questions@FreeBSD.ORG Tue Jan 13 04:43:17 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D70A16A4CE for ; Tue, 13 Jan 2004 04:43:17 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E7243D2D for ; Tue, 13 Jan 2004 04:43:14 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i0DCh9fn016821 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Jan 2004 12:43:09 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i0DCh9m2016820; Tue, 13 Jan 2004 12:43:09 GMT (envelope-from matthew) Date: Tue, 13 Jan 2004 12:43:09 +0000 From: Matthew Seaman To: Jefferson San Juan Message-ID: <20040113124309.GD23956@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Jefferson San Juan , freebsd-questions@freebsd.org References: <000d01c3d980$5521b6e0$5858269e@JANELLE> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xB0nW4MQa6jZONgY" Content-Disposition: inline In-Reply-To: <000d01c3d980$5521b6e0$5858269e@JANELLE> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.61 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: binary execute restrictions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 12:43:17 -0000 --xB0nW4MQa6jZONgY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 13, 2004 at 03:52:49AM +0100, Jefferson San Juan wrote: > How do I restrict normal users from executing their own compiled executab= le > binary files? > I use FreeBSD 4.9. This is actually a very difficult problem: FreeBSD is designed to let people run executables, not to stop them doing that... Put all of the user home directories on a separate partition which you mount with the noexec flag. Make sure that the users have no write access to anywhere outside their home directories. This includes the various world writable temporary directories /tmp, /var/tmp, etc. However, not permitting users to write files in /tmp or /var/tmp will lead to much wailing and gnashing of teeth, because a lot of applications are going to break. Investigate setting the TMPDIR environment variable either from /etc/login.conf or else from /etc/csh.login (for tcsh(1) users) or /etc/profile (for bash(1) or sh(1) users) to ameliorate that. If you set TMPDIR=3D${HOME}/tmp each user can have their own private temporary area under their home directory. Note however that this only has an advisory effect: not all applications will obey $TMPDIR. You can mount the shared temporary directories noexec -- which will work exceeedingly well 99.9% of the time. Investigate mounting /tmp as a memory filesystem -- see mount_mfs(8) -- as a good way to do that. Symlink other shared temporary areas to your memory filesystem if you don't want to have more than one. Nb. One occasion doing this will definitely cause problems is when you are updating your system by 'make installworld' -- however that is a sufficiently uncommon event that you can feasibly do a temporary remount of /tmp without noexec in that case. Even so, a determined user could probably still work out ways to get an executable executed, but they'd have to put some effort into working out how. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --xB0nW4MQa6jZONgY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAA+fddtESqEQa7a0RAk4IAJ9q0pFkkIqK2mONv/tA9q8VSdFfYQCeLlLY cq6TquXlawsu0aJPbSmI/ck= =h4Wm -----END PGP SIGNATURE----- --xB0nW4MQa6jZONgY--