Is there a shell that checks to make sure the code is signed?
Clash Royale CLAN TAG#URR8PPP
up vote
18
down vote
favorite
I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?
The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.
linux scripting security
|
show 6 more comments
up vote
18
down vote
favorite
I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?
The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.
linux scripting security
2
Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36
6
@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07
2
The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flaggednoexec
on a read-only partition on a dm-verity signed block device.
– Charles Duffy
Aug 9 '16 at 1:45
1
source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10
1
You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43
|
show 6 more comments
up vote
18
down vote
favorite
up vote
18
down vote
favorite
I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?
The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.
linux scripting security
I was messing around with PowerShell this week and discovered that you are required to Sign your scripts so that they can be run. Is there any similar secure functionality in Linux that relates to preventing bash scripts from being run?
The only functionality similar to this, that I'm aware of is that of SSH requiring a certain key.
linux scripting security
linux scripting security
edited Nov 20 at 6:56
Evan Carroll
4,91094075
4,91094075
asked Aug 8 '16 at 22:32
leeand00
1,34332341
1,34332341
2
Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36
6
@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07
2
The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flaggednoexec
on a read-only partition on a dm-verity signed block device.
– Charles Duffy
Aug 9 '16 at 1:45
1
source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10
1
You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43
|
show 6 more comments
2
Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36
6
@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07
2
The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flaggednoexec
on a read-only partition on a dm-verity signed block device.
– Charles Duffy
Aug 9 '16 at 1:45
1
source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10
1
You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43
2
2
Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36
Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36
6
6
@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07
@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07
2
2
The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged
noexec
on a read-only partition on a dm-verity signed block device.– Charles Duffy
Aug 9 '16 at 1:45
The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged
noexec
on a read-only partition on a dm-verity signed block device.– Charles Duffy
Aug 9 '16 at 1:45
1
1
source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10
source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10
1
1
You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43
You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43
|
show 6 more comments
8 Answers
8
active
oldest
votes
up vote
10
down vote
accepted
If you're locking users' ability to run scripts via sudo
then you could use the digest
functionality.
You can specify the hash of a script/executable in sudoers
which will be verified by sudo
before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.
If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
http://www.sudo.ws/man/1.8.13/sudoers.man.html
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
add a comment |
up vote
13
down vote
Yes and no.
Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.
When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.
There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.
I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x
on the command line, or the equivalent action in a file manager).
2
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
1
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
2
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
|
show 1 more comment
up vote
9
down vote
Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.
There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
add a comment |
up vote
8
down vote
In a word, "no".
Linux doesn't really differentiate between executables and scripts; the #!
at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.
So, for example, if I have a script
$ cat x
#!/bin/sh
echo hello
Then I can run this with the command
$ ./x
That will cause the kernel to try and execute it, spot the #!
and then effectively run /bin/sh x
instead.
However I could also run any of these variants as well:
$ sh ./x
$ bash ./x
$ cat x | sh
$ cat x | bash
$ sh < x
or even
. ./x
So even if the kernel tried to enforce signing at the exec
layer we can bypass this by only running the interpreter with the script as a parameter.
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux
. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd
directory; everything else is rejected".
1
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
– alzee
Aug 9 '16 at 0:49
add a comment |
up vote
2
down vote
Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:
#!/bin/sh
gpgv2 $1.asc && bash "$@"
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
add a comment |
up vote
2
down vote
The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:
- It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.
- In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.
- It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.
* This is probably becoming less and less true as more people start using Linux
add a comment |
up vote
1
down vote
The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.
So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.
On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.
You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".
add a comment |
up vote
0
down vote
By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.
The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash
. While it's arguable that most such scripts are bash
scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.
While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.
As I mentioned in one of the comments, there is one other layer of protection -- SeLinux
-- which tracks the origin of files based on a set of rules. A set up SeLinux
would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.
So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunatelytar
does preserve the execute bit.
– pjc50
Aug 9 '16 at 9:19
You have to usetar -p
source
– loa_in_
Aug 9 '16 at 9:47
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)
– loa_in_
Aug 9 '16 at 9:49
No, you do NOT need -p. I see what the man page says, but it's not what happens.touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.
– domen
Aug 9 '16 at 11:02
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
add a comment |
8 Answers
8
active
oldest
votes
8 Answers
8
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
10
down vote
accepted
If you're locking users' ability to run scripts via sudo
then you could use the digest
functionality.
You can specify the hash of a script/executable in sudoers
which will be verified by sudo
before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.
If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
http://www.sudo.ws/man/1.8.13/sudoers.man.html
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
add a comment |
up vote
10
down vote
accepted
If you're locking users' ability to run scripts via sudo
then you could use the digest
functionality.
You can specify the hash of a script/executable in sudoers
which will be verified by sudo
before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.
If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
http://www.sudo.ws/man/1.8.13/sudoers.man.html
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
add a comment |
up vote
10
down vote
accepted
up vote
10
down vote
accepted
If you're locking users' ability to run scripts via sudo
then you could use the digest
functionality.
You can specify the hash of a script/executable in sudoers
which will be verified by sudo
before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.
If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
http://www.sudo.ws/man/1.8.13/sudoers.man.html
If you're locking users' ability to run scripts via sudo
then you could use the digest
functionality.
You can specify the hash of a script/executable in sudoers
which will be verified by sudo
before being executed. So although not the same as signing, it gives you a basic guarantee that the script has at least not been modified without sudoers also being modified.
If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory. The following digest formats are supported: sha224, sha256, sha384 and sha512. The string may be specified in either hex or base64 format (base64 is more compact). There are several utilities capable of generating SHA-2 digests in hex format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
http://www.sudo.ws/man/1.8.13/sudoers.man.html
answered Aug 10 '16 at 13:20
batfastad
7652719
7652719
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
add a comment |
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
That'll hold me over until I read about SE Linux and do it right.
– leeand00
Aug 10 '16 at 13:22
add a comment |
up vote
13
down vote
Yes and no.
Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.
When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.
There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.
I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x
on the command line, or the equivalent action in a file manager).
2
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
1
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
2
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
|
show 1 more comment
up vote
13
down vote
Yes and no.
Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.
When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.
There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.
I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x
on the command line, or the equivalent action in a file manager).
2
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
1
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
2
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
|
show 1 more comment
up vote
13
down vote
up vote
13
down vote
Yes and no.
Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.
When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.
There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.
I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x
on the command line, or the equivalent action in a file manager).
Yes and no.
Linux software distribution works somewhat differently from Windows software distribution. In the (non-embedded) Linux world, the primary method to distribute software is via a distribution (Ubuntu, Debian, RHEL, Fedora, Arch, etc.). All major distributions have been signing their packages systematically for about a decade.
When software is distributed independently, it's up to the vendor to decide how they'll ship their software. Good vendors provide package sources that's compatible with the major distributions (there's no unified distribution mechanism for all of Linux: software distribution is one of the main points of differentiation between distributions) and that are signed with the vendor's key. Linux distributions rarely act as a signing authority for third-party vendors (Canonical does this with Ubuntu partners, but that covers very few vendors), and I think all major distributions use the PGP web of trust rather than the TLS public key infrastructure, so it's up to the user to figure out whether they want to trust a key.
There's no special mechanism that singles out software packages that consist of a single script from software packages that consist of a native executable, a data file, or multiple files. Nor is any signature verification built into any common script interpreter, because verifying a software package is a completely orthogonal concern from running a script.
I think Windows annotates files with their origin, and requires user confirmation to run a file whose origin is “downloaded” rather than “local”. Linux doesn't really have a similar mechanism. The closest thing is execution permission: a downloaded file does not have execution permission, the user needs to explicitly enable it (chmod +x
on the command line, or the equivalent action in a file manager).
edited Aug 9 '16 at 0:46
answered Aug 9 '16 at 0:06
Gilles
522k12610401570
522k12610401570
2
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
1
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
2
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
|
show 1 more comment
2
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
1
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
2
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
2
2
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
FWIW, on top of this PowerShell can be configured (by policy settings) to only execute signed scripts and this policy can be configured so that all scripts must be signed or only "remote origin" scripts, or no scripts. It works best in an AD environment with key management and central policy management. It can be bypassed :-)
– Stephen Harris
Aug 9 '16 at 0:43
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@StephenHarris Well yeah if you set It to bypass...
– leeand00
Aug 9 '16 at 0:45
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
@leeand00 - Apparently base64 encoding also works as a bypass but I don't know if that's been closed in newer versions of PowerShell.
– Stephen Harris
Aug 9 '16 at 0:47
1
1
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
@leeand00 - see darkoperator.com/blog/2013/3/5/… for some fun :-) Basically pass the base64 encoded script as a parameter on the command line :-) Easy enough to wrapper!
– Stephen Harris
Aug 9 '16 at 0:50
2
2
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
SeLinux annotates files with their origin. It's one of its main premises.
– loa_in_
Aug 9 '16 at 1:11
|
show 1 more comment
up vote
9
down vote
Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.
There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
add a comment |
up vote
9
down vote
Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.
There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
add a comment |
up vote
9
down vote
up vote
9
down vote
Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.
There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.
Linux does not provide the capability to limit the execution of bash scripts based on digital signatures.
There is some work on authenticating binary executables. See https://lwn.net/Articles/488906/ for info.
answered Aug 8 '16 at 23:02
Quentin Fennessy
32414
32414
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
add a comment |
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
Upvote for direct answer without suggesting a hackey work-around.
– user394
Aug 9 '16 at 1:59
add a comment |
up vote
8
down vote
In a word, "no".
Linux doesn't really differentiate between executables and scripts; the #!
at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.
So, for example, if I have a script
$ cat x
#!/bin/sh
echo hello
Then I can run this with the command
$ ./x
That will cause the kernel to try and execute it, spot the #!
and then effectively run /bin/sh x
instead.
However I could also run any of these variants as well:
$ sh ./x
$ bash ./x
$ cat x | sh
$ cat x | bash
$ sh < x
or even
. ./x
So even if the kernel tried to enforce signing at the exec
layer we can bypass this by only running the interpreter with the script as a parameter.
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux
. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd
directory; everything else is rejected".
1
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
– alzee
Aug 9 '16 at 0:49
add a comment |
up vote
8
down vote
In a word, "no".
Linux doesn't really differentiate between executables and scripts; the #!
at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.
So, for example, if I have a script
$ cat x
#!/bin/sh
echo hello
Then I can run this with the command
$ ./x
That will cause the kernel to try and execute it, spot the #!
and then effectively run /bin/sh x
instead.
However I could also run any of these variants as well:
$ sh ./x
$ bash ./x
$ cat x | sh
$ cat x | bash
$ sh < x
or even
. ./x
So even if the kernel tried to enforce signing at the exec
layer we can bypass this by only running the interpreter with the script as a parameter.
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux
. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd
directory; everything else is rejected".
1
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
– alzee
Aug 9 '16 at 0:49
add a comment |
up vote
8
down vote
up vote
8
down vote
In a word, "no".
Linux doesn't really differentiate between executables and scripts; the #!
at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.
So, for example, if I have a script
$ cat x
#!/bin/sh
echo hello
Then I can run this with the command
$ ./x
That will cause the kernel to try and execute it, spot the #!
and then effectively run /bin/sh x
instead.
However I could also run any of these variants as well:
$ sh ./x
$ bash ./x
$ cat x | sh
$ cat x | bash
$ sh < x
or even
. ./x
So even if the kernel tried to enforce signing at the exec
layer we can bypass this by only running the interpreter with the script as a parameter.
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux
. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd
directory; everything else is rejected".
In a word, "no".
Linux doesn't really differentiate between executables and scripts; the #!
at the beginning is a way to tell the kernel what program to run to evaluate the input but it's not the only way a script can be executed.
So, for example, if I have a script
$ cat x
#!/bin/sh
echo hello
Then I can run this with the command
$ ./x
That will cause the kernel to try and execute it, spot the #!
and then effectively run /bin/sh x
instead.
However I could also run any of these variants as well:
$ sh ./x
$ bash ./x
$ cat x | sh
$ cat x | bash
$ sh < x
or even
. ./x
So even if the kernel tried to enforce signing at the exec
layer we can bypass this by only running the interpreter with the script as a parameter.
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
The standard solution to this isn't to use signing, but to use Mandatory Access Controls (MAC), such as SELinux
. With MAC systems you can specify exactly what each user is allowed to run and transition layers. So, for example, you can say "normal users can run anything but the web server and CGI processes can only access stuff from the /var/httpd
directory; everything else is rejected".
edited Aug 9 '16 at 9:57
answered Aug 8 '16 at 23:19
Stephen Harris
23k24176
23k24176
1
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
– alzee
Aug 9 '16 at 0:49
add a comment |
1
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.
– alzee
Aug 9 '16 at 0:49
1
1
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.– alzee
Aug 9 '16 at 0:49
This means that signing code would have to be in the interpreter itself. And what would stop a user from compiling their own copy of a shell without the signing enforcement code?
Not allowing executing of any unsigned executables would do it, If the user doesn't have the signing key. There are various *nix projects for this already.– alzee
Aug 9 '16 at 0:49
add a comment |
up vote
2
down vote
Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:
#!/bin/sh
gpgv2 $1.asc && bash "$@"
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
add a comment |
up vote
2
down vote
Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:
#!/bin/sh
gpgv2 $1.asc && bash "$@"
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
add a comment |
up vote
2
down vote
up vote
2
down vote
Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:
#!/bin/sh
gpgv2 $1.asc && bash "$@"
Linux distros usually have gnupg. It sounds to me like all you want is a simple bash wrapper that checks a detached gpg signature against the argument script and only proceeds to run the script if the check succeeds:
#!/bin/sh
gpgv2 $1.asc && bash "$@"
answered Aug 8 '16 at 23:08
PSkocik
17.5k44993
17.5k44993
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
add a comment |
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
The only thing this doesn't present is running a script that somebody just made...on their own...
– leeand00
Aug 8 '16 at 23:10
add a comment |
up vote
2
down vote
The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:
- It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.
- In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.
- It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.
* This is probably becoming less and less true as more people start using Linux
add a comment |
up vote
2
down vote
The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:
- It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.
- In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.
- It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.
* This is probably becoming less and less true as more people start using Linux
add a comment |
up vote
2
down vote
up vote
2
down vote
The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:
- It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.
- In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.
- It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.
* This is probably becoming less and less true as more people start using Linux
The counter-question that comes to mind immediately is "Why would you ever want to prevent users from running programs they wrote?" Several possibilities exist:
- It is literally impossible to detect who authored the code in the first place. The owner of the script file is just whoever actually saved the content of that file, regardless of where it came from. So enforcing a signature is just a complicated substitute for a confirmation dialogue box: "Are you sure you want to do this?" In Linux part of this problem is solved transparently with signed packages, and mitigated by the fact that users have limited access by default. The user is also expected to know that running others' code can be dangerous*.
- In the same vein signing a script is a much more complex operation than saving a file. In the best case this prompts the user to realise that they are performing an action similar to signing a document, and should inspect what it says before continuing. Most likely it simply ensures a very minimal level of technical proficiency on the part of the user to be allowed to run the script. In the worst case it demonstrates a willingness to jump through a long series of hoops to run what they wanted to. Technical proficiency is assumed on Linux*.
- It is more likely that people will detect obviously malicious code when typing/pasting a series of commands to their command line. Plaintext snippets meant to be copied and pasted usually are smaller than the series of commands necessary to do something properly nefarious. The user can also carefully copy and paste every line separately, understanding what happens as it happens. With a script it's possible the user has never looked at the code at all. This may be a useful application of signed scripts, at the all-too-common cost of complacency after the 12th time you have to do it.
* This is probably becoming less and less true as more people start using Linux
answered Aug 9 '16 at 8:23
l0b0
27.3k17111237
27.3k17111237
add a comment |
add a comment |
up vote
1
down vote
The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.
So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.
On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.
You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".
add a comment |
up vote
1
down vote
The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.
So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.
On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.
You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".
add a comment |
up vote
1
down vote
up vote
1
down vote
The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.
So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.
On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.
You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".
The reason the systems have evolved differently is that Linux has the 'exec' file attribute and Windows uses file extensions to determine executability.
So in Windows it's easy to trick the user into downloading a file with an ".exe", ".bat", ".scr" extension, which will be hidden by default. Double-clicking that file would give you arbitary code execution. Hence a large mechanism of origin tracking and executable / script signing was built to mitigate this risk.
On Linux, you might be able to get a file to the user, but you can't easily force the 'exec' bit to be set. Additionally, it's possible to make entire filesystems 'noexec'.
You can in any case run a script explicitly by invoking the interpreter. You can even create shell scripts at runtime and pipe them into "sh", or run "sh -c".
answered Aug 9 '16 at 9:18
pjc50
2,4291111
2,4291111
add a comment |
add a comment |
up vote
0
down vote
By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.
The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash
. While it's arguable that most such scripts are bash
scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.
While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.
As I mentioned in one of the comments, there is one other layer of protection -- SeLinux
-- which tracks the origin of files based on a set of rules. A set up SeLinux
would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.
So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunatelytar
does preserve the execute bit.
– pjc50
Aug 9 '16 at 9:19
You have to usetar -p
source
– loa_in_
Aug 9 '16 at 9:47
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)
– loa_in_
Aug 9 '16 at 9:49
No, you do NOT need -p. I see what the man page says, but it's not what happens.touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.
– domen
Aug 9 '16 at 11:02
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
add a comment |
up vote
0
down vote
By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.
The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash
. While it's arguable that most such scripts are bash
scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.
While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.
As I mentioned in one of the comments, there is one other layer of protection -- SeLinux
-- which tracks the origin of files based on a set of rules. A set up SeLinux
would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.
So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunatelytar
does preserve the execute bit.
– pjc50
Aug 9 '16 at 9:19
You have to usetar -p
source
– loa_in_
Aug 9 '16 at 9:47
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)
– loa_in_
Aug 9 '16 at 9:49
No, you do NOT need -p. I see what the man page says, but it's not what happens.touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.
– domen
Aug 9 '16 at 11:02
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
add a comment |
up vote
0
down vote
up vote
0
down vote
By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.
The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash
. While it's arguable that most such scripts are bash
scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.
While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.
As I mentioned in one of the comments, there is one other layer of protection -- SeLinux
-- which tracks the origin of files based on a set of rules. A set up SeLinux
would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.
So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.
By custom, many archiving programs do not preserve execute bit on contained files. This makes it impossible to run arbitrary executables. Well almost.
The point is, what was described in another answer that lack of execute bit doesn't prevent you from passing such script directly to bash
. While it's arguable that most such scripts are bash
scripts, the shebang can specify any program as interpreter. This means that it's up to the user to run appropriate interpreter if they decide to ignore the executable semantics.
While this isn't much, this pretty much covers prevention of running untrusted executables on *nixes with just kernel and shell.
As I mentioned in one of the comments, there is one other layer of protection -- SeLinux
-- which tracks the origin of files based on a set of rules. A set up SeLinux
would not for example allow root to run an executable with executable bit set that was downloaded from the internet, even if you copy and move the file around. One can add a rule that such files can only be run through another binary that would check the signature, not unlike what you mentioned in your question.
So, in the end it's a matter of configuration of commonly preinstalled tools, and the answer is yes.
edited Aug 9 '16 at 1:34
answered Aug 9 '16 at 1:29
loa_in_
22717
22717
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunatelytar
does preserve the execute bit.
– pjc50
Aug 9 '16 at 9:19
You have to usetar -p
source
– loa_in_
Aug 9 '16 at 9:47
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)
– loa_in_
Aug 9 '16 at 9:49
No, you do NOT need -p. I see what the man page says, but it's not what happens.touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.
– domen
Aug 9 '16 at 11:02
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
add a comment |
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunatelytar
does preserve the execute bit.
– pjc50
Aug 9 '16 at 9:19
You have to usetar -p
source
– loa_in_
Aug 9 '16 at 9:47
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)
– loa_in_
Aug 9 '16 at 9:49
No, you do NOT need -p. I see what the man page says, but it's not what happens.touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.
– domen
Aug 9 '16 at 11:02
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately
tar
does preserve the execute bit.– pjc50
Aug 9 '16 at 9:19
many archiving programs do not preserve execute bit on contained files .. well, that's kind of a handicap when you actually want to use it for archiving. Fortunately
tar
does preserve the execute bit.– pjc50
Aug 9 '16 at 9:19
You have to use
tar -p
source– loa_in_
Aug 9 '16 at 9:47
You have to use
tar -p
source– loa_in_
Aug 9 '16 at 9:47
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)– loa_in_
Aug 9 '16 at 9:49
-p, --preserve-permissions, --same-permissions
means extract information about file permissions (default for superuser)– loa_in_
Aug 9 '16 at 9:49
No, you do NOT need -p. I see what the man page says, but it's not what happens.
touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.– domen
Aug 9 '16 at 11:02
No, you do NOT need -p. I see what the man page says, but it's not what happens.
touch permtest; chmod +x permtest; tar cf permtest.tar.gz permtest; rm permtest; tar xf permtest.tar.gz; ls -l permtest
- it's executable here, and I'm not root.– domen
Aug 9 '16 at 11:02
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
I'll try to improve my answer then.
– loa_in_
Aug 9 '16 at 19:48
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f302139%2fis-there-a-shell-that-checks-to-make-sure-the-code-is-signed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Sounds a bit like an ad-hoc solution to package signing to me. I don't know if Windows has cryptographic package signing the way Linux has.
– Wildcard
Aug 8 '16 at 22:36
6
@leeand00 A script is a special case of a software package and I can't see any point to singling out that case.
– Gilles
Aug 9 '16 at 0:07
2
The mechanism I'm most fond of is the way ChromeOS does this -- putting the only filesystem not flagged
noexec
on a read-only partition on a dm-verity signed block device.– Charles Duffy
Aug 9 '16 at 1:45
1
source.android.com/security/verifiedboot talks about Android's adoption of that (initially ChromeOS) feature.
– Charles Duffy
Aug 9 '16 at 2:10
1
You can consider bash as a bunch of commands that can be typed manual in command line interface. What's the point to restrict the scripts when you can type the contents in command line anyway?
– Ding-Yi Chen
Aug 9 '16 at 3:43