[PATCH v1] shebang: restrict python interactive prompt/interpreter
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Fri Jun 9 15:41:37 UTC 2017
Matt Brown wrote:
> > What about execution via ld-linux ?
> >
> > $ /lib64/ld-linux-x86-64.so.2 /usr/bin/python2
> >
>
> Just tested this and you are correct, this allows you to bypass the
> protection.
>
> I was able to fix this bypass by including /lib64/ld-linux-x86-64.so.2
> in the list of interpreters.
And there is also PYTHONINSPECT environment variable. ;-)
# echo '#!/usr/bin/python2' > run-python
# chmod 755 run-python
# ./run-python
# PYTHONINSPECT=yes ./run-python
>>> print "hello"
hello
>>>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list