|
Message-ID: <E608EDB8-72E8-4791-AC9B-8FF9AC753FBE@sempervictus.com>
Date: Tue, 16 Jul 2024 13:29:43 -0400
From: Boris Lukashev <blukashev@...pervictus.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
Wouldn't count those shell chickens - awk alone is enough and we can use ssh and openssl clients (all in metasploit public code). As one of the people who makes novel shell types, I can assure you that this effort is only going to slow skiddies and only until the rest of us publish mitigations for this mitigation :)
-Boris (RageLtMan)
On July 16, 2024 12:12:49 PM EDT, James Bottomley <James.Bottomley@...senPartnership.com> wrote:
>On Tue, 2024-07-16 at 17:57 +0200, Roberto Sassu wrote:
>> But the Clip OS 4 patch does not cover the redirection case:
>>
>> # ./bash < /root/test.sh
>> Hello World
>>
>> Do you have a more recent patch for that?
>
>How far down the rabbit hole do you want to go? You can't forbid a
>shell from executing commands from stdin because logging in then won't
>work. It may be possible to allow from a tty backed file and not from
>a file backed one, but you still have the problem of the attacker
>manually typing in the script.
>
>The saving grace for this for shells is that they pretty much do
>nothing on their own (unlike python) so you can still measure all the
>executables they call out to, which provides reasonable safety.
>
>James
>
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.