Dne pondělí 4. května 2020 17:01:10 CEST, Stefan Baur napsal(a):
And here's the next catch: They intend to use Libreoffice as their single published application. Which allows the user to write their own macros in Libreoffice Basic. Which allows them to read binary files and do things with them. Like convert them to a bunch of QR codes and display them. So to do the things that need to be done, they (the owners) are depending on an executable which the user can do so much more with than they want it to do. And there's no way to limit that, other than to refrain from using Libreoffice as a front-end.
-Stefan
With full respect to the users, if they were capable of that, they would probably be able to write similar spreadsheet from scratch (and have some other job).
I know that redesigning the whole calculation as web application would be much better. But if protection against 80% of users can be done with 20% effort, I would do it. You say that 100 % protection is not possible, so there is no reason to do anything...
All I want is to close this one obvious hole: ssh somewhere "cat file" > file
I cannot remove exec bit from /bin/cat, cause it is required to set up x2go session. If the rbash guide I referenced at the beginning worked, this would be possible.
Best regards Vladislav Kurz