[grsec] Executing a compiled object
John Logsdon
j.logsdon at quantex-research.com
Tue Sep 26 06:07:02 EDT 2006
I want to enable some trusted users to be able to run their own compiled
objects the name of which will not generally be known.
Obviously this can lead to some trouble and ideally I don't want to do
this by including the user in the TPE group as that would enable them to
run rather more.
Is there an alternative? I haven't upgraded grsec for some time so
perhaps this sort of thing is already included.
I noticed a thread on the forum (viewtopic.php?p=5650&) and that shows
what could be done if a user can compile. It also gives some ideas about
restricting use but as PaX quotes Andrew Morton at the end, there are many
ways to cripple a linux box. Not being able to compile your own programs
is pretty restrictive too.
Some installed ready-compiled objects may not behave themselves as well
but they can be dealt with by an appropriate ACL if they are trusted on an
individual basis.
Maybe we have to wait for Xen to be fully integrated into the 2.6 kernel
and give everyone a sandbox.
Best wishes
John
John Logsdon "Try to make things as simple
Quantex Research Ltd, Manchester UK as possible but not simpler"
j.logsdon at quantex-research.com a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com
More information about the grsecurity
mailing list