On Wed, February 15, 2017 2:38 pm, Gordon Messmer wrote:
On 02/15/2017 12:08 PM, Valeri Galtsev wrote:
/run/screen/S-<user> - NOT on CentOS 5 /var/spool/samba - NOT on CentOS 5 that needs extra security - in our
shop;
To be pedantic: screen definitely creates a user-writable directory on
CentOS 5, in a different location, and samba will include that directory if installed. It can be really hard to make sure everything required is mounted noexec when some of these directories are automatically created by SUID or SGID binaries, in response to user actions.
Sure, I agree. Screen itself is SGID group screen and no SUID. One needs to watch for places with group screen write permission, that they do not live anywhere that is not noexec mounted. And we never had SAMBA whenever we went to that length in restricting users... All in all virtualization made our lives easier (I'm using FreeBSD jails to compartmentalize immiscible things these days, I bet Linux has its lightweight equivalent, and likely more than one).
Valeri
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++