without shell

Tomasz Rola rtomek at ceti.pl
Fri Jun 10 06:23:58 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 12 Jun 2005, km wrote:

> hi all,
> 
> can any linux command be invoked/  executed without using shell (bash) ?
> what abt security concerns ? 

To answer your question fast, yes it is possible. Just pull every "bad"
block from the OS, and put inside some replacement of your own. 

But it all depends on what exactly you are going to achieve...

1. Disabling rootkits/shellcodes.

Without shell (i.e. bash/sh), you loose lots of functionality and you
don't get as much in exchange. If what you want really is to disable
execution of rootkits, shellcodes etc, then you need to disable almost
every interesting program: perl, python, awk, sh, emacs, vi, web browsers
with javascript, java, any compiler or interpreter that is installed, and
possibly much more but they don't come to my mind right now. After doing
so, you get an os that cannot boot past running /sbin/init and is "secure"
because it is useless and can be as well turned off.

Sure, you can replace/rename all those programs to have functionality and
security but this will not protect your computer for too long. It all
depends on how much someone wants to get to you. If there is one such
person, the above mentioned steps will not help. It also requires much of
work and in the result, you will have an incompatible OS i.e., no
compatibility beyond some libraries and kernel stuff. I'm not even sure if
it is possible to have full KDE/GNOME without shells. The same with X -
its startup runs through few shell scripts before the real /usr/bin/X11/X
is exec'd.

There are better ways of securing Linux with less work and IMHO the
resulting OS is much better than anything without shells, etc. at all.
Google is your master.

www.nsa.gov/selinux/
www.lids.org/
www.openwall.com/

2. Running some minimal, barebone Linux with carefully carved 
functionality.

You can replace /sbin/init with your own program and make it do whatever
you need. Link it statically and you should not even need libraries, just
one file and a kernel.

Again, sometimes you can get similar or better results without sacrificing
the whole OS, and with less work. But this subject is quite broad and so
there is not much more to say.

> regards,
> KM

Regards,
Tomasz Rola

- --
** A C programmer asked whether computer had Buddha's nature.      **
** As the answer, master did "rm -rif" on the programmer's home    **
** directory. And then the C programmer became enlightened...      **
**                                                                 **
** Tomasz Rola          mailto:tomasz_rola at bigfoot.com             **

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBQqlqSBETUsyL9vbiEQLVHwCfX3X0IyZLBq3k1uYJElNh1BUOFdIAoKaL
ZH5Eqxq2EnN+XpDT9K79FNsK
=Jusy
-----END PGP SIGNATURE-----

More information about the Python-list mailing list