Restricted Access to Certain Binaries

Networking/Security Forums -> UNIX // GNU/Linux

Author: WeaverLocation: WI, USA PostPosted: Fri Oct 08, 2004 8:05 pm    Post subject: Restricted Access to Certain Binaries
Does anyone know of a *nix equivalent to Windows "Software Restriction Policies"? Basically, what I want to do is not allow certain binaries with a specific name or that match a given hash to run on a Linux machine.

This isn't terribly difficult to implement in Windows using the above mentioned policies. However, I have not been able to find a *nix equivalent.

If I have to write a kernel module this would definitely be a good excuse to learn more about kernel programming (something I have only dabbled in).

The setup needs to be able to do the following:

A list is kept in some form, listing both the name and a hash of the binaries that are NOT allowed by given users.

The module/program will then note when a binary of given name or hash is being executed, using a logical OR on the name or hash. If the UID is not in the "allowed" list of UID's, then they are not able to execute the binary.

Again, if anyone knows of any existing software/modules, please let me know. If anyone has any insight as to the level of kernel knowledge required to implement such a module, please let me know.



Author: CassLocation: Scotland PostPosted: Fri Oct 08, 2004 11:06 pm    Post subject:
Hi Weaver,

Im not sure if im understanding your requirements correcly but linux has built in tools to restrict access to files and folders. The commands im thinking of are :

chown :- change the owner of a file to certain user
chgrp :- Change binary to be accessable by users in a certain group
chmod :- change the overall permissions of the file

# chown cass filename.ksh

will change the file to be owned by me, if you run

# chmod 700 filename.ksh

only the user cass will be able to run this.

if i run this command

# chgrp mygroup filename.ksh

the run

# chmod 770 filename.ksh

owner cass and any users in the mygroup group will be able to run the file.

The group can be found at :-


have a read at the man page for each of the above commands for further info

if i have misunderstood you apoilogies for wasting your reading time Wink

Ohh also you could check out the NSA extentions to the linux kernel, this can add further granularity on this.

edit :- You also whn i think about it implement acl's , run a google on them for linux acl for a lot more info.


Author: WeaverLocation: WI, USA PostPosted: Fri Oct 08, 2004 11:27 pm    Post subject:
Thanks for the response. I am familiar with the *nix permission system and have employed its services many times. Unfortunately that isn't exactly what I am looking for here.

Here is the situation. This is going to be for campus machines running Linux or Mac OSX. We want to restrict access to certain programs/binaries. The permission system would work fine for system binaries, but would not work if a user were to download and run the binary from their home directory.

I don't expect this to be the end-all solution, but if we could block by name and/or hash that would be initially sufficient.


Author: CassLocation: Scotland PostPosted: Fri Oct 08, 2004 11:42 pm    Post subject:
hmm this will be difficult i think to do, its the download to local system that is the hard part, the only way i would think is to restrict access to the files users can download, if you dont trust the users in quesiton block the access to it, if this is a lan file server we're talking about have authentication to get the files, ie acl's for the likes of nfs shares. passwd auth for ftp etc... also it might be possible to restrict exec access to binarys by mounting the homedir noexec if this is nfs we spek about. might not prevent users running from the likes of /var/tmp though, or be practical for other allowed use Sad.....

I am unfortunatly unfamiliar with windows policys to get an exact handle of what you need, best i can think of at the mo Smile


Author: WeaverLocation: WI, USA PostPosted: Sat Oct 09, 2004 1:08 am    Post subject:
Thanks for the ideas, I'll keep working on it. I think a kernel module might be my best bet.


Author: CassLocation: Scotland PostPosted: Sat Oct 09, 2004 1:46 am    Post subject:
it sounds like this is something that should be available on linux, i havnt heard of something similar anyway, if you do decide to write a kernel module for this im sure it'd be worthwhile and useful to others.. keep us posted if it happens.


Author: 0x54 PostPosted: Sat Oct 09, 2004 7:00 am    Post subject:
you could do this with systrace,
though thats kind of a heavy duty solution and *will* take a long long long time to configure. to long perhaps, though, when i give folk shells (for whatever reason), their systraced (stsh <3).

(i know that isnt a usefull suggestion, due to the effort required to configure it Sad)

Author: hadsLocation: New Zealand PostPosted: Sat Oct 09, 2004 7:59 am    Post subject:
I realise this isn't exactly what you are asking for but just incase you haven't thought of it, how about the noexec option for mount? Could be of use somewhere in the scheme of things.


Author: dlab PostPosted: Fri Oct 29, 2004 12:29 am    Post subject:
Yeah, if you have all user-writable directories in their own partitions, you can try using the noexec option, which would prevent running binaries from those mounts.

//[b][/b]dev[b][/b]/hda3 /home ext3 defaults,sync,acl,noexec 1 1

or if you don't have partitions for those, try

mkdir /loop
dd if=//[b][/b]dev[b][/b]/urandom of=/loop/home bs=1M count=2048 # 2 Gig /home
mkfs -t ext3 home
*should warn you about it not being a block device.*
*edit /etc/fstab and add:
/loop/home /home ext3 defaults,async,acl,noexec,loop 1 2

make sure you do this for all dirs that are writable by users, like /var/spool/mail, /tmp, /usr/tmp, and /var/tmp..

Networking/Security Forums -> UNIX // GNU/Linux

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group