Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is there A Reliable Way to Restrict the Use of the Compiler?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
biergaizi
n00b
n00b


Joined: 18 Dec 2011
Posts: 45
Location: Beijing, China

PostPosted: Wed Aug 19, 2015 1:30 pm    Post subject: Is there A Reliable Way to Restrict the Use of the Compiler? Reply with quote

Gentoo works well on webservers, especially it provides PaX/grsecurity protection against more attacks.

But I wonder if there is a way to restrict the use of compilers, I'm not going to remove the compiler from the system (a.k.a destroy Portage), but I just want users from a trusted group to use it. On a multi-user shared public server, it's best to disallow untrusted users to use the compiler. I know, I can set the group of the compilers to to "compilers", and set the permissions to 660. But since Gentoo use a general way (gcc-config), it generated a lot of wrappers and modifying $PATH, is it difficult for me to figure out we exactly should I do.

Does anyone have some tricks and tips for me?
_________________
Keep It Simple, stupid.
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 418

PostPosted: Wed Aug 19, 2015 1:43 pm    Post subject: Reply with quote

Can you use noexec /home mount and Trusted Path Execution instead? This does not restrict the compiler, but users will not be able to run their compiled programs. TPE is a section in the hardened kernel's setup.
Back to top
View user's profile Send private message
biergaizi
n00b
n00b


Joined: 18 Dec 2011
Posts: 45
Location: Beijing, China

PostPosted: Wed Aug 19, 2015 4:31 pm    Post subject: Reply with quote

Apheus wrote:
Can you use noexec /home mount and Trusted Path Execution instead? This does not restrict the compiler, but users will not be able to run their compiled programs. TPE is a section in the hardened kernel's setup.


This system is used as a platform to do some light development for some users, NoExec the whole /home is too aggressive...
But thanks for the idea, a carefully configured TPE may be a solution.
_________________
Keep It Simple, stupid.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Wed Aug 19, 2015 8:32 pm    Post subject: Reply with quote

Quote:
This system is used as a platform to do some light development for some users, NoExec the whole /home is too aggressive...
But thanks for the idea, a carefully configured TPE may be a solution.
You could use e.g. /opt/bin as a location for user-developed binaries.
You would often see a directory like /home/user/bin/ anyway, so it can be a symlink to that /opt/bin restricted to only be usable by developers.


Or you could do that in more enterprisy way: build a farm of single-purpose VMs. Isolate not related things from each other. Keep developers out of web servers, give them one for their exclusive use instead.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Thu Aug 20, 2015 1:24 am    Post subject: Reply with quote

Bind mounts have their own value for exec/noexec and for ro/rw. You could run the untrusted software in a mount namespace where every mount is at least one of ro or noexec. Place the users in a mount namespace where they have a writable exec directory for their test work. You could even arrange for the untrusted namespace to have unnecessary directories shadowed out with empty ones. For example, bind mount /var/empty onto /usr/x86_64-pc-linux-gnu/gcc-bin.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum