From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 05:21:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92437106564A for ; Mon, 2 Mar 2009 05:21:17 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by mx1.freebsd.org (Postfix) with ESMTP id 67C348FC15 for ; Mon, 2 Mar 2009 05:21:17 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by wf-out-1314.google.com with SMTP id 27so2156079wfd.7 for ; Sun, 01 Mar 2009 21:21:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=n0gJBSEDWDGGNvq/7u97pBqay8S+r9PrkOq3ghwRuRI=; b=OaTVJ9h66mWOrkVVzoEgbZsEg0NbvbLtd/fo4Ebn0bPKGEpcC3Jgx+qUllm7oWUJoa DTEVCl4nYDJYnyF3YOKgUPcFObRb6pCt8+sZrQxpWbW0nyJhFs1KlzAlHprZvMen2Qwu 7F2CINSNQVHMIdrQdsM/zkBY5FEQrQXRsPZ6M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=g7zUgVEVwLzgs7DX8E49qkrPVv93puhtA3U1DTOj1446Q0OwliuZ2i4EDsk7WEE65e pqyIocAKgnV8i/Ep5085ot7ZKO94I0/9w88IdnYRkFcRMBmQDo6wT+oOfyu8TEoTNJ+r EyqOYsVM3rkG+HVcjRD4Xq9J7ML5FZorLhxvE= MIME-Version: 1.0 Received: by 10.142.203.19 with SMTP id a19mr2800974wfg.310.1235971276204; Sun, 01 Mar 2009 21:21:16 -0800 (PST) In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> Date: Mon, 2 Mar 2009 14:21:16 +0900 Message-ID: From: Daniel Marsh To: Paige Thompson , freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Trusted Path Execution X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 05:21:17 -0000 1 set the noexec mount option on any filesystem that you don't want executanles running on. 2 use acls to prevent execution of files, the bsd Mac framework is the way to go Ie remove executable bit on all files for everyone and leave hoe owner and group then add users to the necessary groups Only issue is monitoring newly created files and the bits set, default umask can help Regards Daniel Regards Daniel On 3/2/09, Paige Thompson wrote: > I would like to know that there is or is not a way to prevent users from > executing binaries that are not owned by root or that the user is in a > particular group. Is this something I can achieve with TrustedBSD's MAC > framework? > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/