You are not logged in.
Hi,
As even Windows now gets along with default deny (ref), it's time for me to realize the same on Linux. But it's harder than I imagined...
What I want: A whitelist with applications (including a hash) which are allowed to be executed on my system. Everything else should fail.
Unfortunately this means for instance that I cannot build software (the average configure script creates quite some executables), so it won't work well.
What do you suggest? Setting up SELinux is very hard. . How would you go on about realizing execution prevention?
Offline
If, as I assume, you're talking about services from the Internet, check out /etc/hosts.deny.
If you're talking about fine-grained control over what applications users are allowed to use, read up on UNIX permissions.
Offline
I guess my question is posed very badly, I'm sorry.
What I want is more of a partition mounted with noexec, but I want to specify some exceptions to that. That is unless I explicitly allow something to be executed, there should be no way for it to be executable. Using Unix permission has the big minus of being changeable - even for read-only files, unless it's a file of a different owner.
SElinux is interesting because it allows to specify the scope of access, but I would need at least a week to properly set it up.
Offline
Not the solution to your problem, but 'immutable' attibute can prevent even the file owner from changing permissions. See man chattr.
Offline
Thanks for the hint, briest. (Although this only works for ext2+, if I'm not mistaken).
I guess I'll have a look at mounting read-only except for a partition for data mounted no-exec.
Offline