Nick Cleaton <[email protected]> writes: > I made this, it might be interesting to anyone looking to implement > something like rssh, or to un-retire rssh itself: it allows you to > execute a program but trap any calls to libc exec* syscall wrappers that > the program might make:
> https://github.com/ncleaton/libcallfilt > It provides a second line of defense if you've tried to block all of the > options that could exec arbitrary things but you may have missed > something. Thank you -- that's an interesting option! BTW, you probably want to add posix_spawn, posix_spawnp, and execveat. (Although a nice property of this approach is that it doesn't rely on finding every possible system call, only covering the ones that the legitimate program you're trying to spawn might use.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
