Discussion:
Preventing curl | bash
Sheogorath
2018-10-16 09:15:39 UTC
Permalink
Hi,

it's mostly a question out of curiosity but maybe useful for some people.

I wonder if there is a way to prevent a direct piping from curl to bash
using SELinux.

And of course one can download a file and then run bash on it, but a
simple rule that prevents direct piping would at least give a heads up
about it.
--
Signed
Sheogorath
Thomas Mueller
2018-10-17 07:00:53 UTC
Permalink
Post by Sheogorath
Hi,
it's mostly a question out of curiosity but maybe useful for some people.
I wonder if there is a way to prevent a direct piping from curl to bash
using SELinux.
And of course one can download a file and then run bash on it, but a
simple rule that prevents direct piping would at least give a heads up
about it.
sounds not like something I would implement. And you don't give much
context to your situation.

What do you like to prevent? Stop users with root-shells to execut
arbitary shell scripts obtained by curl?


- Thomas
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorapr
Manuel Wolfshant
2018-10-17 07:34:55 UTC
Permalink
Post by Sheogorath
Post by Sheogorath
Hi,
it's mostly a question out of curiosity but maybe useful for some
people.
Post by Sheogorath
I wonder if there is a way to prevent a direct piping from curl to
bash
Post by Sheogorath
using SELinux.
And of course one can download a file and then run bash on it, but a
simple rule that prevents direct piping would at least give a heads
up
Post by Sheogorath
about it.
sounds not like something I would implement. And you don't give much
context to your situation.
What do you like to prevent? Stop users with root-shells to execut
arbitary shell scripts obtained by curl?
It's a common idiocy we (sysadmins) face in the web world: programmers need "something" and find a tutorial which instructs them to download some bundle which self-installs via the infamous mantra under discussion in this thread. Obviously preceded by a sudo (because why not ?)

Wolfy
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject
Tracy Reed
2018-10-17 08:13:15 UTC
Permalink
Post by Sheogorath
I wonder if there is a way to prevent a direct piping from curl to bash
using SELinux.
No good way to prevent it. If they can install software they can do it.
Don't install curl. Monitor for process executions. I have auditd log
execs. Anytime someone runs curl or wget in our production environment
something's up.
--
Tracy Reed
http://tracyreed.org
Digital signature attached for your safety.
Manuel Wolfshant
2018-10-17 08:37:17 UTC
Permalink
Post by Tracy Reed
Post by Sheogorath
I wonder if there is a way to prevent a direct piping from curl to bash
using SELinux.
No good way to prevent it. If they can install software they can do it.
Don't install curl. Monitor for process executions. I have auditd log
execs. Anytime someone runs curl or wget in our production environment
something's up.
chmod 700 $(which curl)

but a selinux policy preventing those exact pipe invocations would be
interesting
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraprojec

Continue reading on narkive:
Loading...