From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 13 18:04:06 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 005A216A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Jan 2004 18:04:06 -0800 (PST)
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E892943D41
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Jan 2004 18:04:04 -0800 (PST)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: from be-well.no-ip.com ([66.30.200.37])
          by comcast.net (sccrmhc12) with ESMTP
          id <20040114020404012006jiese>; Wed, 14 Jan 2004 02:04:04 +0000
Received: by be-well.no-ip.com (Postfix, from userid 1147)
	id 39DF93A; Tue, 13 Jan 2004 21:04:04 -0500 (EST)
Sender: lowell@be-well.ilk.org
To: freebsd-questions@freebsd.org
References: <000d01c3d980$5521b6e0$5858269e@JANELLE>
	<0D7DAA44-4615-11D8-AA98-003065ABFD92@mac.com>
From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Date: 13 Jan 2004 21:04:04 -0500
In-Reply-To: <0D7DAA44-4615-11D8-AA98-003065ABFD92@mac.com>
Message-ID: <444quzs2uj.fsf@be-well.ilk.org>
Lines: 15
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: binary execute restrictions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2004 02:04:06 -0000

Charles Swiger <cswiger@mac.com> writes:

> On Jan 12, 2004, at 9:52 PM, Jefferson San Juan wrote:
> > How do I restrict normal users from executing their own compiled
> > executable
> > binary files?
> 
> Give them a "restricted shell" which limits the commands they can run
> to ones you specify.  See "man zshall" for one example, although other
> restricted shells exist which might come closer to what you want than
> ZSH particularly:

I suspect that a restricted shell isn't going to be appropriate in
this case.  Restricted shells are useful for avoiding shooting
yourself in the foot, but they're really not intended to be secure.