From owner-freebsd-questions Wed Jul 31 17:35:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7326E37B400 for ; Wed, 31 Jul 2002 17:35:13 -0700 (PDT) Received: from speaker.rodsbooks.com (ip68-14-7-118.ri.ri.cox.net [68.14.7.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id C98A743E3B for ; Wed, 31 Jul 2002 17:35:12 -0700 (PDT) (envelope-from rodsmith@rodsbooks.com) Received: by speaker.rodsbooks.com (Postfix, from userid 500) id C96DD2B80A; Wed, 31 Jul 2002 20:35:11 -0400 (EDT) To: pirat@access.inet.co.th Cc: freebsd-questions@freebsd.org Reply-To: rodsmith@rodsbooks.com Subject: Re: prevent user from running some program In-Reply-To: <20020729042915.GA35781@thai-aec.org> Date: Wed, 31 Jul 2002 20:35:11 -0400 (EDT) X-Mailer: XCmail 1.3 - with PGP support, PGP engine version 0.5 (Linux) X-Mailerorigin: http://www.fsai.fh-trier.de/~schmitzj/Xclasses/XCmail/ MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-Id: <20020801003511.C96DD2B80A@speaker.rodsbooks.com> From: rodsmith@rodsbooks.com (Rod Smith) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ---Reply to mail from pirat about prevent user from running some program > hi sirs, > > am using freebsd 4.6-stable. > i have a simple question that is if i just want some users to be able to run > only xfig what should i do. and on the other hand if i do not want them to run > xfig, is there any command to accomplish this ? You can change permissions and group ownership on the binary to permit only the owner (presumably root) and the program's group to run it. For instance: # chgrp xfiguser /usr/X11R6/bin/xfig # chmod 0750 /usr/X11R6/bin/xfig You'd then add any users who should be able to run xfig to the xfiguser group (which must exist before you type the first command). (Note I'm not sure where xfig actually exists, since my FreeBSD system is powered down at the moment.) This procedure comes with a **HUGE** caveat, though: For most programs, users can easily overcome the limitation by installing "private" copies of the program executable in their own home directories. This may not be practical for some very big programs if you use account quotas, and you may be able to restrict executable rights on a home directory partition on some systems, but overall it's a big hole in this process. -- Rod Smith rodsmith@rodsbooks.com http://www.rodsbooks.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message