Re: execution policy for shells

[Brett Lymn <blymn%baea.com.au@localhost>]

On Thu, Sep 23, 2010 at 07:54:56AM -0400, Thor Lancelot Simon wrote:
> > 
> > actually, veriexec can be more subtle than that.  You can bless
> > certain shell scripts but deny the direct invocation of the shell
> > interpreter.  That means that #!/bin/powershell at the top of the
> 
> In which case you can't even have an emergency login shell on your
> system.  Not 100% sure what I think about that one.
> 

Only if you set the policy up that way, you can have an interactive
shell but not "bless" any shell scripts for that shell just like you
would any other executable object but what veriexec will let you do
is, say, install perl and be able to run a bunch of perl scripts
(because they are "blessed") but not invoke perl from the command line
but only if that is what you choose to do, you could just as easily
let perl be run from the command line if you want to.  I thought
having the distinction between directly running the interpreter and
running scripts using that interpreter was sort of a useful thing.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."