View previous topic :: View next topic |
Author |
Message |
biergaizi n00b
Joined: 18 Dec 2011 Posts: 45 Location: Beijing, China
|
Posted: Wed Aug 19, 2015 1:30 pm Post subject: Is there A Reliable Way to Restrict the Use of the Compiler? |
|
|
Gentoo works well on webservers, especially it provides PaX/grsecurity protection against more attacks.
But I wonder if there is a way to restrict the use of compilers, I'm not going to remove the compiler from the system (a.k.a destroy Portage), but I just want users from a trusted group to use it. On a multi-user shared public server, it's best to disallow untrusted users to use the compiler. I know, I can set the group of the compilers to to "compilers", and set the permissions to 660. But since Gentoo use a general way (gcc-config), it generated a lot of wrappers and modifying $PATH, is it difficult for me to figure out we exactly should I do.
Does anyone have some tricks and tips for me? _________________ Keep It Simple, stupid. |
|
Back to top |
|
|
Apheus Guru
Joined: 12 Jul 2008 Posts: 422
|
Posted: Wed Aug 19, 2015 1:43 pm Post subject: |
|
|
Can you use noexec /home mount and Trusted Path Execution instead? This does not restrict the compiler, but users will not be able to run their compiled programs. TPE is a section in the hardened kernel's setup. |
|
Back to top |
|
|
biergaizi n00b
Joined: 18 Dec 2011 Posts: 45 Location: Beijing, China
|
Posted: Wed Aug 19, 2015 4:31 pm Post subject: |
|
|
Apheus wrote: | Can you use noexec /home mount and Trusted Path Execution instead? This does not restrict the compiler, but users will not be able to run their compiled programs. TPE is a section in the hardened kernel's setup. |
This system is used as a platform to do some light development for some users, NoExec the whole /home is too aggressive...
But thanks for the idea, a carefully configured TPE may be a solution. _________________ Keep It Simple, stupid. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3137
|
Posted: Wed Aug 19, 2015 8:32 pm Post subject: |
|
|
Quote: | This system is used as a platform to do some light development for some users, NoExec the whole /home is too aggressive...
But thanks for the idea, a carefully configured TPE may be a solution. | You could use e.g. /opt/bin as a location for user-developed binaries.
You would often see a directory like /home/user/bin/ anyway, so it can be a symlink to that /opt/bin restricted to only be usable by developers.
Or you could do that in more enterprisy way: build a farm of single-purpose VMs. Isolate not related things from each other. Keep developers out of web servers, give them one for their exclusive use instead. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Thu Aug 20, 2015 1:24 am Post subject: |
|
|
Bind mounts have their own value for exec/noexec and for ro/rw. You could run the untrusted software in a mount namespace where every mount is at least one of ro or noexec. Place the users in a mount namespace where they have a writable exec directory for their test work. You could even arrange for the untrusted namespace to have unnecessary directories shadowed out with empty ones. For example, bind mount /var/empty onto /usr/x86_64-pc-linux-gnu/gcc-bin. |
|
Back to top |
|
|
|