Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-17-2007, 03:51 PM
|
#1
|
LQ Newbie
Registered: Apr 2005
Posts: 8
Rep:
|
Where do you generally put custom shell scripts (security-wise)?
That's it. I've tried various locations in the past, including /usr/local/bin, /usr/local/sbin, usr/local/bin/myscripts, /home/myaccount/bin... I just can't find any place completely satisfying. The point is: I do not want to put custom shell scripts in /home partition because much of these are systemwide admin scripts, and also because I mount my /home filesystem with noexec option following the security considerations. I do find it logical to put those in /usr/local/bin (and some of them in /usr/local/sbin), however I hesitate doing so as it conflicts with the point of mounting /usr partition readonly, and as many programs place their binaries in /usr/local/bin by default, making too much clutter. I assume I could deal with the latter by using a dedicated subdir like /usr/local/bin/scripts or the like (or specifying --prefix=/usr compile-time option to the programs' .configure scripts, albeit doing so possibly conflicts with the FHS), however ad-hoc remounting /usr readwrite whenever I intend to write, test and debug a script (and remounting readonly again when the job is done) simply isn't too feasible a solution, and not much secure either (in my opinion that is). Is there any known commonly agreed-upon practice for the placement of custom shell scripts, that is as much secure and as much distribution-agnostic as possible? I'd like to hear your opinions.
Thanks for your time,
BILMO
|
|
|
01-17-2007, 04:23 PM
|
#2
|
Senior Member
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: OpenBSD, Debian, FreeBSD
Posts: 1,450
Rep:
|
Please note that noexec is not "intended" to be used for security purposes. It does provide a measure of security but does nothing to prevent shell scripts from being run. You can't run them directly but you can just type "sh scriptname" or through another method. There is nothing in place to stop that. What noexec does do is prevent "binaries" from being run and that is a wise thing for the most part.
Traditionally, /usr/local was for local scripts... so /usr/local/bin and /usr/local/sbin would be the right place for them. I recognize your frustration about it being mounted read-only (of course, they don't expect you to be changing these things daily once you move them there... only during testing). You could always mount /usr/local as it's own partition and allow it to be read-write but that's not really a good solution.
As for it being insecure to make /usr +rw for a bit then switch back to -ro ... it's not really that bad. Obviously you want to minimize the time it's writable but the only security implication involved is that no program should "write" to /usr without being told to. The odds are that if a script or local user has the rights to write into /usr, you probably already have a problem. I personally keep it read-only because it does prevent the problem. But even I remount it read-write when doing upgrades or patching programs... it keeps the window of opportunity as small as possible.
The distribution agnostic place would be in /usr/local/{,s}bin and the best idea is to write, test, and debug a script outside that directory and then move it into there. You wouldn't want someone running the script before you were done testing it... so you wouldn't want it in a place where it's in the path of all the users.
I'd use ~/bin for testing and development. And when you're pretty sure it's right... move it to /usr/local. And you can keep /home mounted with noexec (although I honestly have far too many personal scripts and programs to survive with that restriction myself) and just call them with "{interpreter} scriptname" until you're done debugging it.
Edit: Also note... shell scripts are not setuid... so they run with the rights of the user calling them. And no matter where you put them, if users can find them, and they have the rights to execute them, you have to assume they will.
Last edited by frob23; 01-17-2007 at 04:25 PM.
|
|
|
01-17-2007, 05:31 PM
|
#3
|
Senior Member
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530
Rep:
|
I'd use /usr/local/... or /opt/...
|
|
|
01-18-2007, 01:23 AM
|
#4
|
LQ Newbie
Registered: Apr 2005
Posts: 8
Original Poster
Rep:
|
Thanks for your feedback guys. And special thanks to frob23 - your elaborate explanation gave me much insight into what I hadn't gotten quite correctly before, and reminded me of some things I used to know.
Thanks,
BILMO
|
|
|
All times are GMT -5. The time now is 05:39 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|