From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 14:12:16 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E6FC16A41F for ; Tue, 26 Jul 2005 14:12:16 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92A1443D49 for ; Tue, 26 Jul 2005 14:12:15 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id j6QEBpq9014645; Tue, 26 Jul 2005 10:11:52 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id j6QEBn6x014644; Tue, 26 Jul 2005 10:11:49 -0400 (EDT) (envelope-from bv) Date: Tue, 26 Jul 2005 10:11:49 -0400 From: Bill Vermillion To: Eric Anderson Message-ID: <20050726141149.GC14374@wjv.com> References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42E549E7.4070606@centtech.com> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on bilver.wjv.com Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bv@wjv.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 14:12:16 -0000 -segmentation fault- press any key to reboot Damn damn damn Eric Anderson said, after restarting his PC and mailer on Mon, Jul 25, 2005 at 15:21 . > Thomas Krause wrote: > >Hello, > >is it possible to bar a user (www) from starting a process? > >I've a irc daemon running under the uid www. I think > >this was done by php. What would be the best way to prevent > >this (php should be remain usable)? I've installed ipfw rules, > >but this doesn't prevent the starting of the process. > Change the permissions on the file to not allow world execution? > chmod 750 /path/to/irc-daemon > and make sure it isn't owner by www user, and the www user is not in the > group that owns the daemon. Well that would mean that anyone else who might need to execute that file can only do so if they 1) own it or 2) are in the group. To get around this change the modes of the program in a way that is non-intuitive. Change the group of that daemon to www and the change the mode to 705. Since this evaluates left to right it will fail at www while all others will be able to use the file. This seems to be overlooked by many who think that 'world' means everyone, while it means everyone who doesn't match in owner or group. Bill -- Bill Vermillion - bv @ wjv . com