For example, I run apache with suexec to host dozens of potentially problematic websites and want to minimize exploits.
I cannot enable full TPE for that group of users (as suexec will fail to execute their CGI scripts).
I might be able to enable partial TPE for all users, but it helps almost nothing in my case, as the users could download rootkits in their homedirs (writeable only by them) and then execute them.
So I would need something like:
- Code: Select all
role webusers g
that is, I want no TPE restrictions until PHP interpreter runs, after which I want full TPE (only able to execute root owned binaries, and not it's own binaries) - thus restricting any PHP call of system(), popen(), etc...
Is that currently possible to do, or would it be good idea to implement?