You are not logged in.
- Topics: Active | Unanswered
#1 2009-01-18 09:17:25
- wuischke
- Member
- From: Suisse Romande
- Registered: 2007-01-06
- Posts: 630
How to realize execution prevention?
Hi,
As even Windows now gets along with default deny (ref), it's time for me to realize the same on Linux. But it's harder than I imagined...
What I want: A whitelist with applications (including a hash) which are allowed to be executed on my system. Everything else should fail.
Unfortunately this means for instance that I cannot build software (the average configure script creates quite some executables), so it won't work well.
What do you suggest? Setting up SELinux is very hard. 
. How would you go on about realizing execution prevention?
Offline
#2 2009-01-19 18:24:58
- escondida
- Package Maintainer (PM)
- Registered: 2008-04-03
- Posts: 157
Re: How to realize execution prevention?
If, as I assume, you're talking about services from the Internet, check out /etc/hosts.deny.
If you're talking about fine-grained control over what applications users are allowed to use, read up on UNIX permissions.
Offline
#3 2009-01-19 23:37:58
- wuischke
- Member
- From: Suisse Romande
- Registered: 2007-01-06
- Posts: 630
Re: How to realize execution prevention?
I guess my question is posed very badly, I'm sorry.
What I want is more of a partition mounted with noexec, but I want to specify some exceptions to that. That is unless I explicitly allow something to be executed, there should be no way for it to be executable. Using Unix permission has the big minus of being changeable - even for read-only files, unless it's a file of a different owner.
SElinux is interesting because it allows to specify the scope of access, but I would need at least a week to properly set it up.
Offline
#4 2009-01-20 20:36:08
- briest
- Member
- From: Katowice, PL
- Registered: 2006-05-04
- Posts: 468
Re: How to realize execution prevention?
Not the solution to your problem, but 'immutable' attibute can prevent even the file owner from changing permissions. See man chattr.
Offline
#5 2009-01-21 21:15:38
- wuischke
- Member
- From: Suisse Romande
- Registered: 2007-01-06
- Posts: 630
Re: How to realize execution prevention?
Thanks for the hint, briest. (Although this only works for ext2+, if I'm not mistaken).
I guess I'll have a look at mounting read-only except for a partition for data mounted no-exec.
Offline