One of the most widely used attacks are now a variety of buffer overflow, the technique of "format string" and is still known in the systems built on gcc 2.x "Off-By-One." Most "exploits" for the compromise of vulnerable machines are used. "shellcode" that is ready to machine code stored in the form of a coating such as hex launching with super user privileges. To protect themselves against such attacks led to a number of mechanisms, I will explain one of them - exec restricted to Linux. Rexec is on the Linux kernel series 2.4 and 2.6 which is controlled by means of the invention such as sysctl. How can we read at home mix was taken from the guardian of the project (for FreeBSD systems).

Rexec introduces some restrictions for running programs (the maximum number of arguments passed to the program, the length of environment variables and arguments, and considers illegal characters on the above at the premises), it allows us to set up a system to log and no-exec of the startup programs with the opportunity to uid is greater than x (to be defined) has only the group (to be defined).

In fact with the proper operation of the patch needs a built-in support sysctl see if we have any in our kernel:
Kernel 2.4: General Support -> pci-hotplug support> sysctl support
Kernel 2.6: sysctl support

According to the series which have a kernel Patches Downloads:
Linux 2.4
Linux 2.6
Then go to the directory where you have the kernel source, eg: cd / usr / src / Then move to that directory late, and applies it with the command: patch-p0 <linux-rexec.patch-X (X - version of the kernel)

Configuration:

After installation of patches in the kernel and recompiling will have additional options "rexec" in which we will be able to select interesting options.
+ Rexec
     Limited + count of arguments.
     + Checking arguments length.
     + Checking environmental variables length.
     + Looking for bad chars in arguments and environmental variables.
No-exec + system.
Now Describe briefly each of the options.

1) Limited count of arguments.
It introduces the possibility of imposing a limit on the number of arguments passed to the program.
Sysctl variable to set:
     max_arg_count
It is not advisable to set this variable on too small as it may contribute to problems with the correct functioning of the system. If the variable has a value of less than 1 rexec does not work.

2) Checking arguments length.
It introduces the possibility of imposing a limit on the length of an argument. Also, it is not recommended to set this variable too small.
     max_arg_len

3) Checking environmental variables length.
Same as "Checking length arguments." but as far as environment variables.
     max_env_len

4) No-exec system.
No-exec system lies in the fact that the ability to run programs which uid is greater than x (to determine) is the only group.
     maxbin_uid
     not_restricted_grp
A simple example, we can set maxbin_uid to 999 which is equal to that added users in the system (with a standard configuration) will be taking up the restrictions. If we want to allow the user to run their own programs, you need to do is invite him to a group which describes the variable not_restricted_grp
System Logins

Access to the system have login using sysctl variables:
     log_exec
     obv_group
The first variable (log_exec) can take three values:
0 - no system call execve () will not be logged.
1 - will only be logged calls execve () which have been interrupted for some reasons.
2 - logged all the system calls execve ().
3 - will be logged only to call execve () of the group.

Variable obv_group describes the group which calls execve () we want to log. If log_exec is different than the 3 to this variable is ignored
If the variable has not accepted any log_exec with the same value, the system login will work as if it was set to 0.