From owner-freebsd-questions@FreeBSD.ORG Tue Jan 13 14:08:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D799216A54E for ; Tue, 13 Jan 2004 14:08:54 -0800 (PST) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AAA243D6E for ; Tue, 13 Jan 2004 14:08:46 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i0DM8jOJ028285; Tue, 13 Jan 2004 14:08:46 -0800 (PST) Received: from [10.1.1.193] (nfw2.codefab.com [66.234.138.66]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 3.0) with ESMTP id i0DM8iTR012024; Tue, 13 Jan 2004 14:08:45 -0800 (PST) In-Reply-To: <000d01c3d980$5521b6e0$5858269e@JANELLE> References: <000d01c3d980$5521b6e0$5858269e@JANELLE> Mime-Version: 1.0 (Apple Message framework v609) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <0D7DAA44-4615-11D8-AA98-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 13 Jan 2004 17:08:44 -0500 To: Jefferson San Juan X-Mailer: Apple Mail (2.609) cc: freebsd-questions@freebsd.org Subject: Re: binary execute restrictions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 22:08:55 -0000 On Jan 12, 2004, at 9:52 PM, Jefferson San Juan wrote: > How do I restrict normal users from executing their own compiled > executable > binary files? Give them a "restricted shell" which limits the commands they can run to ones you specify. See "man zshall" for one example, although other restricted shells exist which might come closer to what you want than ZSH particularly: RESTRICTED SHELL When the basename of the command used to invoke zsh starts with the letter `r' or the `-r' command line option is supplied at invocation, the shell becomes restricted. Emulation mode is determined after stripping the letter `r' from the invocation name. The following are disabled in restricted mode: o changing directories with the cd builtin o changing or unsetting the PATH, path, MODULE_PATH, module_path, SHELL, HISTFILE, HISTSIZE, GID, EGID, UID, EUID, USERNAME, LD_LIBRARY_PATH, LD_AOUT_LIBRARY_PATH, LD_PRELOAD and LD_AOUT_PRELOAD parameters o specifying command names containing / o specifying command pathnames using hash o redirecting output to files o using the exec builtin command to replace the shell with another command o using jobs -Z to overwrite the shell process' argument and envi- ronment space o using the ARGV0 parameter to override argv[0] for external com- mands o turning off restricted mode with set +r or unsetopt RESTRICTED -- -Chuck