Remote execution is a major security concern, and the purpose of EXEC_ROOT is to limit access to a single directory hierarchy. However, limiting this directive to a single value may encourage overly-broad access. For example, to allow access to both /usr/local/bin/foo and ~/bin/bar, EXEC_ROOT = "/" is required, which is dangerously insecure. A workaround would be use a symlink (e.g.ln -s /usr/local/bin/foo ~/bin/foo) and enable FOLLOW_LINKS, but this is also less secure.
EXEC_ROOT should also accept an array of root directories, e.g.EXEC_ROOT = ["/usr/local/bin", "~/bin"].
There also needs to be more fine-grained access control, such as a list of allowed commands.
There is a workaround for fine-grained access: Create a directory containing only links
to allowed commands, and use that as EXEC_ROOT (FOLLOW_LINKS must be enabled). Maybe this is sufficient?
Remote execution is a major security concern, and the purpose of
EXEC_ROOT
is to limit access to a single directory hierarchy. However, limiting this directive to a single value may encourage overly-broad access. For example, to allow access to both/usr/local/bin/foo
and~/bin/bar
,EXEC_ROOT = "/"
is required, which is dangerously insecure. A workaround would be use a symlink (e.g.ln -s /usr/local/bin/foo ~/bin/foo
) and enableFOLLOW_LINKS
, but this is also less secure.EXEC_ROOT
should also accept an array of root directories, e.g.EXEC_ROOT = ["/usr/local/bin", "~/bin"]
.There also needs to be more fine-grained access control, such as a list of allowed commands.