On 12 Dec 2015 23:05, Stephane Chazelas wrote: > 2015-12-12 16:01:26 -0500, Mike Frysinger: > [...] > > This is not a perfect solution as it can still be worked around by > > inlining the code itself: > > $ bash -c "$(cat /dev/shm/test.sh)" > > hi > > Or > > cat /dev/shm/test.sh | bash
right, there's no way to look through pipes > I think this kind of hardening is better left to things like > selinux/apparmor. security is not an all-or-nothing proposotion. the whole point is to have defence in depth. -mike
signature.asc
Description: Digital signature
