Is there a shell that checks to make sure the code is signed?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
18
down vote

favorite
5












I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?



The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.










share|improve this question



















  • 2




    Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
    – Wildcard
    Aug 8 '16 at 22:36






  • 6




    @leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
    – Gilles
    Aug 9 '16 at 0:07






  • 2




    The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged noexec on a read-only partition on a dm-verity signed block device.
    – Charles Duffy
    Aug 9 '16 at 1:45






  • 1




    source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
    – Charles Duffy
    Aug 9 '16 at 2:10






  • 1




    You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
    – Ding-Yi Chen
    Aug 9 '16 at 3:43















up vote
18
down vote

favorite
5












I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?



The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.










share|improve this question



















  • 2




    Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
    – Wildcard
    Aug 8 '16 at 22:36






  • 6




    @leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
    – Gilles
    Aug 9 '16 at 0:07






  • 2




    The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged noexec on a read-only partition on a dm-verity signed block device.
    – Charles Duffy
    Aug 9 '16 at 1:45






  • 1




    source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
    – Charles Duffy
    Aug 9 '16 at 2:10






  • 1




    You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
    – Ding-Yi Chen
    Aug 9 '16 at 3:43













up vote
18
down vote

favorite
5









up vote
18
down vote

favorite
5






5





I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?



The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.










share|improve this question















I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?



The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.







linux scripting security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 20 at 6:56









Evan Carroll

4,91094075




4,91094075










asked Aug 8 '16 at 22:32









leeand00

1,34332341




1,34332341







  • 2




    Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
    – Wildcard
    Aug 8 '16 at 22:36






  • 6




    @leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
    – Gilles
    Aug 9 '16 at 0:07






  • 2




    The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged noexec on a read-only partition on a dm-verity signed block device.
    – Charles Duffy
    Aug 9 '16 at 1:45






  • 1




    source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
    – Charles Duffy
    Aug 9 '16 at 2:10






  • 1




    You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
    – Ding-Yi Chen
    Aug 9 '16 at 3:43













  • 2




    Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
    – Wildcard
    Aug 8 '16 at 22:36






  • 6




    @leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
    – Gilles
    Aug 9 '16 at 0:07






  • 2




    The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged noexec on a read-only partition on a dm-verity signed block device.
    – Charles Duffy
    Aug 9 '16 at 1:45






  • 1




    source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
    – Charles Duffy
    Aug 9 '16 at 2:10






  • 1




    You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
    – Ding-Yi Chen
    Aug 9 '16 at 3:43








2




2




Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36




Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36




6




6




@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07




@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07




2




2




The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged noexec on a read-only partition on a dm-verity signed block device.
– Charles Duffy
Aug 9 '16 at 1:45




The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged noexec on a read-only partition on a dm-verity signed block device.
– Charles Duffy
Aug 9 '16 at 1:45




1




1




source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10




source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10




1




1




You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43





You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43











8 Answers
8






active

oldest

votes

















up vote
10
down vote



accepted










If you're locking users' ability to run scripts via sudo then you could use the digest functionality.

You can specify the hash of a script/executable in sudoers which will be verified by sudo before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.




If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.




http://www.sudo.ws/man/1.8.13/sudoers.man.html






share|improve this answer




















  • That'll hold me over until I read about SE Linux and do it right.
    – leeand00
    Aug 10 '16 at 13:22

















up vote
13
down vote













Yes and no.



Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.



When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.



There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.



I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x on the command line, or the equivalent action in a file manager).






share|improve this answer


















  • 2




    FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
    – Stephen Harris
    Aug 9 '16 at 0:43











  • @StephenHarris Well yeah if you set It to bypass...
    – leeand00
    Aug 9 '16 at 0:45










  • @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
    – Stephen Harris
    Aug 9 '16 at 0:47






  • 1




    @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
    – Stephen Harris
    Aug 9 '16 at 0:50






  • 2




    SeLinux annotates files with their origin. It's one of its main premises.
    – loa_in_
    Aug 9 '16 at 1:11


















up vote
9
down vote













Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.



There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.






share|improve this answer




















  • Upvote for direct answer without suggesting a hackey work-around.
    – user394
    Aug 9 '16 at 1:59

















up vote
8
down vote













In a word, "no".



Linux doesn't really differentiate between executables and scripts; the #! at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.



So, for example, if I have a script



$ cat x
#!/bin/sh
echo hello


Then I can run this with the command



$ ./x


That will cause the kernel to try and execute it, spot the #! and then effectively run /bin/sh x instead.



However I could also run any of these variants as well:



$ sh ./x
$ bash ./x
$ cat x | sh
$ cat x | bash
$ sh < x


or even



. ./x


So even if the kernel tried to enforce signing at the exec layer we can bypass this by only running the interpreter with the script as a parameter.



This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?



The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd directory; everything else is rejected".






share|improve this answer


















  • 1




    This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
    – alzee
    Aug 9 '16 at 0:49

















up vote
2
down vote













Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:



#!/bin/sh
gpgv2 $1.asc && bash "$@"





share|improve this answer




















  • The only thing this doesn't present is running a script that somebody just made...on their own...
    – leeand00
    Aug 8 '16 at 23:10

















up vote
2
down vote













The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:



  1. It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.

  2. In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.

  3. It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.

* This is probably becoming less and less true as more people start using Linux






share|improve this answer



























    up vote
    1
    down vote













    The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.



    So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.



    On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.



    You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".






    share|improve this answer



























      up vote
      0
      down vote













      By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.



      The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash. While it's arguable that most such scripts are bash scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.



      While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.



      As I mentioned in one of the comments, there is one other layer of protection -- SeLinux -- which tracks the origin of files based on a set of rules. A set up SeLinux would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.



      So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.






      share|improve this answer






















      • many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
        – pjc50
        Aug 9 '16 at 9:19










      • You have to use tar -p source
        – loa_in_
        Aug 9 '16 at 9:47










      • -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
        – loa_in_
        Aug 9 '16 at 9:49











      • No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
        – domen
        Aug 9 '16 at 11:02










      • I'll try to improve my answer then.
        – loa_in_
        Aug 9 '16 at 19:48










      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f302139%2fis-there-a-shell-that-checks-to-make-sure-the-code-is-signed%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      8 Answers
      8






      active

      oldest

      votes








      8 Answers
      8






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      10
      down vote



      accepted










      If you're locking users' ability to run scripts via sudo then you could use the digest functionality.

      You can specify the hash of a script/executable in sudoers which will be verified by sudo before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.




      If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.




      http://www.sudo.ws/man/1.8.13/sudoers.man.html






      share|improve this answer




















      • That'll hold me over until I read about SE Linux and do it right.
        – leeand00
        Aug 10 '16 at 13:22














      up vote
      10
      down vote



      accepted










      If you're locking users' ability to run scripts via sudo then you could use the digest functionality.

      You can specify the hash of a script/executable in sudoers which will be verified by sudo before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.




      If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.




      http://www.sudo.ws/man/1.8.13/sudoers.man.html






      share|improve this answer




















      • That'll hold me over until I read about SE Linux and do it right.
        – leeand00
        Aug 10 '16 at 13:22












      up vote
      10
      down vote



      accepted







      up vote
      10
      down vote



      accepted






      If you're locking users' ability to run scripts via sudo then you could use the digest functionality.

      You can specify the hash of a script/executable in sudoers which will be verified by sudo before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.




      If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.




      http://www.sudo.ws/man/1.8.13/sudoers.man.html






      share|improve this answer












      If you're locking users' ability to run scripts via sudo then you could use the digest functionality.

      You can specify the hash of a script/executable in sudoers which will be verified by sudo before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.




      If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.




      http://www.sudo.ws/man/1.8.13/sudoers.man.html







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Aug 10 '16 at 13:20









      batfastad

      7652719




      7652719











      • That'll hold me over until I read about SE Linux and do it right.
        – leeand00
        Aug 10 '16 at 13:22
















      • That'll hold me over until I read about SE Linux and do it right.
        – leeand00
        Aug 10 '16 at 13:22















      That'll hold me over until I read about SE Linux and do it right.
      – leeand00
      Aug 10 '16 at 13:22




      That'll hold me over until I read about SE Linux and do it right.
      – leeand00
      Aug 10 '16 at 13:22












      up vote
      13
      down vote













      Yes and no.



      Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.



      When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.



      There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.



      I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x on the command line, or the equivalent action in a file manager).






      share|improve this answer


















      • 2




        FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
        – Stephen Harris
        Aug 9 '16 at 0:43











      • @StephenHarris Well yeah if you set It to bypass...
        – leeand00
        Aug 9 '16 at 0:45










      • @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
        – Stephen Harris
        Aug 9 '16 at 0:47






      • 1




        @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
        – Stephen Harris
        Aug 9 '16 at 0:50






      • 2




        SeLinux annotates files with their origin. It's one of its main premises.
        – loa_in_
        Aug 9 '16 at 1:11















      up vote
      13
      down vote













      Yes and no.



      Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.



      When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.



      There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.



      I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x on the command line, or the equivalent action in a file manager).






      share|improve this answer


















      • 2




        FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
        – Stephen Harris
        Aug 9 '16 at 0:43











      • @StephenHarris Well yeah if you set It to bypass...
        – leeand00
        Aug 9 '16 at 0:45










      • @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
        – Stephen Harris
        Aug 9 '16 at 0:47






      • 1




        @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
        – Stephen Harris
        Aug 9 '16 at 0:50






      • 2




        SeLinux annotates files with their origin. It's one of its main premises.
        – loa_in_
        Aug 9 '16 at 1:11













      up vote
      13
      down vote










      up vote
      13
      down vote









      Yes and no.



      Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.



      When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.



      There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.



      I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x on the command line, or the equivalent action in a file manager).






      share|improve this answer














      Yes and no.



      Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.



      When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.



      There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.



      I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x on the command line, or the equivalent action in a file manager).







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Aug 9 '16 at 0:46

























      answered Aug 9 '16 at 0:06









      Gilles

      522k12610401570




      522k12610401570







      • 2




        FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
        – Stephen Harris
        Aug 9 '16 at 0:43











      • @StephenHarris Well yeah if you set It to bypass...
        – leeand00
        Aug 9 '16 at 0:45










      • @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
        – Stephen Harris
        Aug 9 '16 at 0:47






      • 1




        @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
        – Stephen Harris
        Aug 9 '16 at 0:50






      • 2




        SeLinux annotates files with their origin. It's one of its main premises.
        – loa_in_
        Aug 9 '16 at 1:11













      • 2




        FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
        – Stephen Harris
        Aug 9 '16 at 0:43











      • @StephenHarris Well yeah if you set It to bypass...
        – leeand00
        Aug 9 '16 at 0:45










      • @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
        – Stephen Harris
        Aug 9 '16 at 0:47






      • 1




        @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
        – Stephen Harris
        Aug 9 '16 at 0:50






      • 2




        SeLinux annotates files with their origin. It's one of its main premises.
        – loa_in_
        Aug 9 '16 at 1:11








      2




      2




      FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
      – Stephen Harris
      Aug 9 '16 at 0:43





      FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
      – Stephen Harris
      Aug 9 '16 at 0:43













      @StephenHarris Well yeah if you set It to bypass...
      – leeand00
      Aug 9 '16 at 0:45




      @StephenHarris Well yeah if you set It to bypass...
      – leeand00
      Aug 9 '16 at 0:45












      @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
      – Stephen Harris
      Aug 9 '16 at 0:47




      @leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
      – Stephen Harris
      Aug 9 '16 at 0:47




      1




      1




      @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
      – Stephen Harris
      Aug 9 '16 at 0:50




      @leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
      – Stephen Harris
      Aug 9 '16 at 0:50




      2




      2




      SeLinux annotates files with their origin. It's one of its main premises.
      – loa_in_
      Aug 9 '16 at 1:11





      SeLinux annotates files with their origin. It's one of its main premises.
      – loa_in_
      Aug 9 '16 at 1:11











      up vote
      9
      down vote













      Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.



      There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.






      share|improve this answer




















      • Upvote for direct answer without suggesting a hackey work-around.
        – user394
        Aug 9 '16 at 1:59














      up vote
      9
      down vote













      Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.



      There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.






      share|improve this answer




















      • Upvote for direct answer without suggesting a hackey work-around.
        – user394
        Aug 9 '16 at 1:59












      up vote
      9
      down vote










      up vote
      9
      down vote









      Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.



      There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.






      share|improve this answer












      Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.



      There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Aug 8 '16 at 23:02









      Quentin Fennessy

      32414




      32414











      • Upvote for direct answer without suggesting a hackey work-around.
        – user394
        Aug 9 '16 at 1:59
















      • Upvote for direct answer without suggesting a hackey work-around.
        – user394
        Aug 9 '16 at 1:59















      Upvote for direct answer without suggesting a hackey work-around.
      – user394
      Aug 9 '16 at 1:59




      Upvote for direct answer without suggesting a hackey work-around.
      – user394
      Aug 9 '16 at 1:59










      up vote
      8
      down vote













      In a word, "no".



      Linux doesn't really differentiate between executables and scripts; the #! at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.



      So, for example, if I have a script



      $ cat x
      #!/bin/sh
      echo hello


      Then I can run this with the command



      $ ./x


      That will cause the kernel to try and execute it, spot the #! and then effectively run /bin/sh x instead.



      However I could also run any of these variants as well:



      $ sh ./x
      $ bash ./x
      $ cat x | sh
      $ cat x | bash
      $ sh < x


      or even



      . ./x


      So even if the kernel tried to enforce signing at the exec layer we can bypass this by only running the interpreter with the script as a parameter.



      This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?



      The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd directory; everything else is rejected".






      share|improve this answer


















      • 1




        This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
        – alzee
        Aug 9 '16 at 0:49














      up vote
      8
      down vote













      In a word, "no".



      Linux doesn't really differentiate between executables and scripts; the #! at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.



      So, for example, if I have a script



      $ cat x
      #!/bin/sh
      echo hello


      Then I can run this with the command



      $ ./x


      That will cause the kernel to try and execute it, spot the #! and then effectively run /bin/sh x instead.



      However I could also run any of these variants as well:



      $ sh ./x
      $ bash ./x
      $ cat x | sh
      $ cat x | bash
      $ sh < x


      or even



      . ./x


      So even if the kernel tried to enforce signing at the exec layer we can bypass this by only running the interpreter with the script as a parameter.



      This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?



      The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd directory; everything else is rejected".






      share|improve this answer


















      • 1




        This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
        – alzee
        Aug 9 '16 at 0:49












      up vote
      8
      down vote










      up vote
      8
      down vote









      In a word, "no".



      Linux doesn't really differentiate between executables and scripts; the #! at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.



      So, for example, if I have a script



      $ cat x
      #!/bin/sh
      echo hello


      Then I can run this with the command



      $ ./x


      That will cause the kernel to try and execute it, spot the #! and then effectively run /bin/sh x instead.



      However I could also run any of these variants as well:



      $ sh ./x
      $ bash ./x
      $ cat x | sh
      $ cat x | bash
      $ sh < x


      or even



      . ./x


      So even if the kernel tried to enforce signing at the exec layer we can bypass this by only running the interpreter with the script as a parameter.



      This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?



      The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd directory; everything else is rejected".






      share|improve this answer














      In a word, "no".



      Linux doesn't really differentiate between executables and scripts; the #! at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.



      So, for example, if I have a script



      $ cat x
      #!/bin/sh
      echo hello


      Then I can run this with the command



      $ ./x


      That will cause the kernel to try and execute it, spot the #! and then effectively run /bin/sh x instead.



      However I could also run any of these variants as well:



      $ sh ./x
      $ bash ./x
      $ cat x | sh
      $ cat x | bash
      $ sh < x


      or even



      . ./x


      So even if the kernel tried to enforce signing at the exec layer we can bypass this by only running the interpreter with the script as a parameter.



      This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?



      The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd directory; everything else is rejected".







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Aug 9 '16 at 9:57

























      answered Aug 8 '16 at 23:19









      Stephen Harris

      23k24176




      23k24176







      • 1




        This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
        – alzee
        Aug 9 '16 at 0:49












      • 1




        This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
        – alzee
        Aug 9 '16 at 0:49







      1




      1




      This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
      – alzee
      Aug 9 '16 at 0:49




      This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code? Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
      – alzee
      Aug 9 '16 at 0:49










      up vote
      2
      down vote













      Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:



      #!/bin/sh
      gpgv2 $1.asc && bash "$@"





      share|improve this answer




















      • The only thing this doesn't present is running a script that somebody just made...on their own...
        – leeand00
        Aug 8 '16 at 23:10














      up vote
      2
      down vote













      Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:



      #!/bin/sh
      gpgv2 $1.asc && bash "$@"





      share|improve this answer




















      • The only thing this doesn't present is running a script that somebody just made...on their own...
        – leeand00
        Aug 8 '16 at 23:10












      up vote
      2
      down vote










      up vote
      2
      down vote









      Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:



      #!/bin/sh
      gpgv2 $1.asc && bash "$@"





      share|improve this answer












      Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:



      #!/bin/sh
      gpgv2 $1.asc && bash "$@"






      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Aug 8 '16 at 23:08









      PSkocik

      17.5k44993




      17.5k44993











      • The only thing this doesn't present is running a script that somebody just made...on their own...
        – leeand00
        Aug 8 '16 at 23:10
















      • The only thing this doesn't present is running a script that somebody just made...on their own...
        – leeand00
        Aug 8 '16 at 23:10















      The only thing this doesn't present is running a script that somebody just made...on their own...
      – leeand00
      Aug 8 '16 at 23:10




      The only thing this doesn't present is running a script that somebody just made...on their own...
      – leeand00
      Aug 8 '16 at 23:10










      up vote
      2
      down vote













      The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:



      1. It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.

      2. In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.

      3. It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.

      * This is probably becoming less and less true as more people start using Linux






      share|improve this answer
























        up vote
        2
        down vote













        The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:



        1. It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.

        2. In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.

        3. It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.

        * This is probably becoming less and less true as more people start using Linux






        share|improve this answer






















          up vote
          2
          down vote










          up vote
          2
          down vote









          The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:



          1. It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.

          2. In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.

          3. It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.

          * This is probably becoming less and less true as more people start using Linux






          share|improve this answer












          The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:



          1. It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.

          2. In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.

          3. It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.

          * This is probably becoming less and less true as more people start using Linux







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Aug 9 '16 at 8:23









          l0b0

          27.3k17111237




          27.3k17111237




















              up vote
              1
              down vote













              The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.



              So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.



              On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.



              You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".






              share|improve this answer
























                up vote
                1
                down vote













                The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.



                So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.



                On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.



                You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".






                share|improve this answer






















                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.



                  So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.



                  On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.



                  You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".






                  share|improve this answer












                  The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.



                  So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.



                  On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.



                  You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Aug 9 '16 at 9:18









                  pjc50

                  2,4291111




                  2,4291111




















                      up vote
                      0
                      down vote













                      By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.



                      The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash. While it's arguable that most such scripts are bash scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.



                      While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.



                      As I mentioned in one of the comments, there is one other layer of protection -- SeLinux -- which tracks the origin of files based on a set of rules. A set up SeLinux would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.



                      So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.






                      share|improve this answer






















                      • many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
                        – pjc50
                        Aug 9 '16 at 9:19










                      • You have to use tar -p source
                        – loa_in_
                        Aug 9 '16 at 9:47










                      • -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
                        – loa_in_
                        Aug 9 '16 at 9:49











                      • No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
                        – domen
                        Aug 9 '16 at 11:02










                      • I'll try to improve my answer then.
                        – loa_in_
                        Aug 9 '16 at 19:48














                      up vote
                      0
                      down vote













                      By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.



                      The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash. While it's arguable that most such scripts are bash scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.



                      While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.



                      As I mentioned in one of the comments, there is one other layer of protection -- SeLinux -- which tracks the origin of files based on a set of rules. A set up SeLinux would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.



                      So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.






                      share|improve this answer






















                      • many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
                        – pjc50
                        Aug 9 '16 at 9:19










                      • You have to use tar -p source
                        – loa_in_
                        Aug 9 '16 at 9:47










                      • -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
                        – loa_in_
                        Aug 9 '16 at 9:49











                      • No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
                        – domen
                        Aug 9 '16 at 11:02










                      • I'll try to improve my answer then.
                        – loa_in_
                        Aug 9 '16 at 19:48












                      up vote
                      0
                      down vote










                      up vote
                      0
                      down vote









                      By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.



                      The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash. While it's arguable that most such scripts are bash scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.



                      While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.



                      As I mentioned in one of the comments, there is one other layer of protection -- SeLinux -- which tracks the origin of files based on a set of rules. A set up SeLinux would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.



                      So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.






                      share|improve this answer














                      By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.



                      The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash. While it's arguable that most such scripts are bash scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.



                      While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.



                      As I mentioned in one of the comments, there is one other layer of protection -- SeLinux -- which tracks the origin of files based on a set of rules. A set up SeLinux would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.



                      So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Aug 9 '16 at 1:34

























                      answered Aug 9 '16 at 1:29









                      loa_in_

                      22717




                      22717











                      • many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
                        – pjc50
                        Aug 9 '16 at 9:19










                      • You have to use tar -p source
                        – loa_in_
                        Aug 9 '16 at 9:47










                      • -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
                        – loa_in_
                        Aug 9 '16 at 9:49











                      • No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
                        – domen
                        Aug 9 '16 at 11:02










                      • I'll try to improve my answer then.
                        – loa_in_
                        Aug 9 '16 at 19:48
















                      • many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
                        – pjc50
                        Aug 9 '16 at 9:19










                      • You have to use tar -p source
                        – loa_in_
                        Aug 9 '16 at 9:47










                      • -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
                        – loa_in_
                        Aug 9 '16 at 9:49











                      • No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
                        – domen
                        Aug 9 '16 at 11:02










                      • I'll try to improve my answer then.
                        – loa_in_
                        Aug 9 '16 at 19:48















                      many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
                      – pjc50
                      Aug 9 '16 at 9:19




                      many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately tar does preserve the execute bit.
                      – pjc50
                      Aug 9 '16 at 9:19












                      You have to use tar -p source
                      – loa_in_
                      Aug 9 '16 at 9:47




                      You have to use tar -p source
                      – loa_in_
                      Aug 9 '16 at 9:47












                      -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
                      – loa_in_
                      Aug 9 '16 at 9:49





                      -p, --preserve-permissions, --same-permissions means extract information about file permissions (default for superuser)
                      – loa_in_
                      Aug 9 '16 at 9:49













                      No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
                      – domen
                      Aug 9 '16 at 11:02




                      No, you do NOT need -p. I see what the man page says, but it's not what happens. touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest - it's executable here, and I'm not root.
                      – domen
                      Aug 9 '16 at 11:02












                      I'll try to improve my answer then.
                      – loa_in_
                      Aug 9 '16 at 19:48




                      I'll try to improve my answer then.
                      – loa_in_
                      Aug 9 '16 at 19:48

















                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f302139%2fis-there-a-shell-that-checks-to-make-sure-the-code-is-signed%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown






                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?