Block binary execution

gkout · November 7, 2013, 6:04pm

Hi guys,

Is it possible on rhel 6.2 to block execution of a binary and display a custom message on stdout or stderr?

thanks

jim_mcnamara · November 7, 2013, 10:16pm

If this is system-wide ian it is NOT a unix command ( e.g., a file in /usr/bin, /usr/local/bin, /usr/sbin, yes.

cd /path/to/binaryfiles
mv binaryfile binaryfile.keep
echo "Warning you cannot execute this file!!" > binaryfile
chmod +x binaryfile

If you do this to a unix command you will break the system - i.e., it probably will no longer reboot, lots of existing code will break.

Don_Cragun · November 7, 2013, 10:45pm

jim mcnamara:

If this is system-wide ian it is NOT a unix command ( e.g., a file in /usr/bin, /usr/local/bin, /usr/sbin, yes.
cd /path/to/binaryfiles
mv binaryfile binaryfile.keep
echo "Warning you cannot execute this file!!" > binaryfile
chmod +x binaryfile
If you do this to a unix command you will break the system - i.e., it probably will no longer reboot, lots of existing code will break.

First, I must emphasize (like Jim did) that you should NOT do this to any binary that is supplied as part of your operating system.

Although Jim's suggestion will make attempts to run binaryfile produce an error message, the error message you get would be something like:

sh: Warning: not found

I think what was intended was something more like:

echo 'echo "Warning you cannot execute this file!!"' > binaryfile

which would instead print:

Warning you cannot execute this file!!

when someone tries to run binaryfile .

gkout · November 8, 2013, 6:33pm

Thank you both for your reply, but the idea would be to avoid manipulating the binary itself, as we need to do exactly the opposite with an allowed binary.

Run it and display a message that this is an allowed binary.

Don_Cragun · November 8, 2013, 8:31pm

It isn't easy to change the way an application behaves without changing the application.

I almost didn't post this, because the idea of trying to use a system that has been mangled like this is just abhorrent to me. And the same WARNINGS still apply: If you do this to any utility provided as part of your operating system, you may turn your computer into a doorstop.

But, here is a modified version of Jim's code that seems to do what you want. Save it in a file, make it executable, and invoke it with the name of one program to modify as its only argument:

cd /path/to/binaryfiles
mv "$1" "$1.real"
printf 'echo "You have permission to run %s."\nexec "$PWD/%s.real" "$@"\n' \
        "$1" "$1" > "$1"
chmod +x "$1"

Please do everything you can to convince whoever came up with this idea, that it is a horrible idea and should not be implemented. (Imagine how we'll the above script would work if printf wasn't a shell built-in and you used this script to change printf before you used it to change another program. Any program replaced by this script that has it's output redirected into a file will corrupt that file. Any program replaced by this script that is included in a pipeline will require that the next program in the pipeline be changed to discard the line that the modified program should never have printed.)

gkout · November 11, 2013, 5:49am

I was thinking more of pam limits or cgroups, but the hard part is to have this stupid message displayed.