Re: execution policy for shells

[Brett Lymn <blymn%baea.com.au@localhost>]

On Thu, Sep 23, 2010 at 07:35:14AM -0400, Thor Lancelot Simon wrote:
> 
> It's "possible via veriexec" inasmuch as you can allow only the one
> true blessed shell to run, and implement whatever policy you care to
> in that shell.  This is how the VMS dynamic linker protected the rest
> of the system from bad shared objects...

actually, veriexec can be more subtle than that.  You can bless
certain shell scripts but deny the direct invocation of the shell
interpreter.  That means that #!/bin/powershell at the top of the
script will invoke the powershell interpreter _but_ trying to run
/bin/powershell from the command line will fail.  Of course, extreme
care needs to be taken when writing the scripts to ensure the user
cannot inject shell commands into the interpreter.

(yes, I do know powershell is a MS thing you can tell because it has
the weird inconsistencies despite being recently written)

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."