[BBLISA] Re: SELinux
Scott Ehrlich
scott at MIT.EDU
Thu Jan 24 19:17:18 EST 2008
On Thu, 24 Jan 2008, Tom Metro wrote:
> Daniel Hagerty wrote:
>> Scott's real issue is that the exec*() system calls will happily
>> execute things in situations he doesn't consider safe. If you try to
>> fix it somewhere else, you might reduce the problem footprint, but
>> there will still be plenty of situations where user B can impersonate
>> user A because of a mistake rooted in A's cron usage.
>>
>> Maybe SE-Linux has some story for this.
>
> Scott's has mentioned elsewhere that mounting the file system with noexec was
> acceptable, but if that was not the case, I think SELinux[1]
> or the equivalent would be the way to address this.
If I dare comment again about this -
Considering the balance of changing crontab's source code vs noexec,
noexec seems the more reasonable approach of the two. Not the best
solution, but weighing the two options, possibly the most practical at
this point.
Scott
>
> 1. http://en.wikipedia.org/wiki/Selinux
>
> -Tom
>
> --
> Tom Metro
> Venture Logic, Newton, MA, USA
> "Enterprise solutions through open source."
> Professional Profile: http://tmetro.venturelogic.com/
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>
More information about the bblisa
mailing list