Thread (14 messages) 14 messages, 5 authors, 2017-06-12
STALE3288d

[PATCH v1] shebang: restrict python interactive prompt/interpreter

From: penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa)
Date: 2017-06-09 15:41:37 

Matt Brown wrote:
quoted
What about execution via ld-linux ?

   $ /lib64/ld-linux-x86-64.so.2 /usr/bin/python2
Just tested this and you are correct, this allows you to bypass the
protection.

I was able to fix this bypass by including /lib64/ld-linux-x86-64.so.2
in the list of interpreters.
And there is also PYTHONINSPECT environment variable. ;-)

# echo '#!/usr/bin/python2' > run-python
# chmod 755 run-python
# ./run-python
# PYTHONINSPECT=yes ./run-python
quoted
quoted
print "hello"
hello
quoted
quoted
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help