-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 12 Jun 2005, km wrote:
> hi all, > > can any linux command be invoked/ executed without using shell (bash) ? > what abt security concerns ? To answer your question fast, yes it is possible. Just pull every "bad" block from the OS, and put inside some replacement of your own. But it all depends on what exactly you are going to achieve... 1. Disabling rootkits/shellcodes. Without shell (i.e. bash/sh), you loose lots of functionality and you don't get as much in exchange. If what you want really is to disable execution of rootkits, shellcodes etc, then you need to disable almost every interesting program: perl, python, awk, sh, emacs, vi, web browsers with javascript, java, any compiler or interpreter that is installed, and possibly much more but they don't come to my mind right now. After doing so, you get an os that cannot boot past running /sbin/init and is "secure" because it is useless and can be as well turned off. Sure, you can replace/rename all those programs to have functionality and security but this will not protect your computer for too long. It all depends on how much someone wants to get to you. If there is one such person, the above mentioned steps will not help. It also requires much of work and in the result, you will have an incompatible OS i.e., no compatibility beyond some libraries and kernel stuff. I'm not even sure if it is possible to have full KDE/GNOME without shells. The same with X - its startup runs through few shell scripts before the real /usr/bin/X11/X is exec'd. There are better ways of securing Linux with less work and IMHO the resulting OS is much better than anything without shells, etc. at all. Google is your master. www.nsa.gov/selinux/ www.lids.org/ www.openwall.com/ 2. Running some minimal, barebone Linux with carefully carved functionality. You can replace /sbin/init with your own program and make it do whatever you need. Link it statically and you should not even need libraries, just one file and a kernel. Again, sometimes you can get similar or better results without sacrificing the whole OS, and with less work. But this subject is quite broad and so there is not much more to say. > regards, > KM Regards, Tomasz Rola - -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:[EMAIL PROTECTED] ** -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBQqlqSBETUsyL9vbiEQLVHwCfX3X0IyZLBq3k1uYJElNh1BUOFdIAoKaL ZH5Eqxq2EnN+XpDT9K79FNsK =Jusy -----END PGP SIGNATURE----- -- http://mail.python.org/mailman/listinfo/python-list
