On October 17, 2018 10:00:53 AM GMT+03:00, Thomas Mueller <thomas(a)chaschperli.ch>
wrote:
On 10/16/2018 11:15 AM, Sheogorath wrote:
> Hi,
>
> it's mostly a question out of curiosity but maybe useful for some
people.
>
> I wonder if there is a way to prevent a direct piping from curl to
bash
> using SELinux.
>
> And of course one can download a file and then run bash on it, but a
> simple rule that prevents direct piping would at least give a heads
up
> about it.
sounds not like something I would implement. And you don't give much
context to your situation.
What do you like to prevent? Stop users with root-shells to execut
arbitary shell scripts obtained by curl?
It's a common idiocy we (sysadmins) face in the web world: programmers need
"something" and find a tutorial which instructs them to download some bundle
which self-installs via the infamous mantra under discussion in this thread. Obviously
preceded by a sudo (because why not ?)
Wolfy