Date: Sat, 7 Mar 2009 17:25:44 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Paige Thompson <erratic@devel.ws> Cc: freebsd-security@freebsd.org Subject: Re: Trusted Path Execution Message-ID: <alpine.BSF.2.00.0903071720250.1340@fledge.watson.org> In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 1 Mar 2009, Paige Thompson wrote: > I would like to know that there is or is not a way to prevent users from > executing binaries that are not owned by root or that the user is in a > particular group. Is this something I can achieve with TrustedBSD's MAC > framework? Hi Paige-- The ugidfw(8) file system firewall, and mac_bsdextended(4) kernel module it depends on, can be used to limit what binaries can be executed. However, be aware that this may not affect memory mapping of shared libraries on platforms where there are not seperate read/execute bits, such as on i386. You may want to combine this with the noexec flag, which our runtime linker is aware of and assists in enforcing for shared libraries. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0903071720250.1340>