Date: Tue, 26 Jul 2005 09:17:17 -0500 From: Eric Anderson <anderson@centtech.com> To: bv@wjv.com Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process Message-ID: <42E645ED.8050408@centtech.com> In-Reply-To: <20050726141149.GC14374@wjv.com> References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> <20050726141149.GC14374@wjv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Vermillion wrote: > -segmentation fault- > press any key to reboot > Damn damn damn Eric Anderson said, after restarting his > PC and mailer on Mon, Jul 25, 2005 at 15:21 . > > >>Thomas Krause wrote: >> >>>Hello, >>>is it possible to bar a user (www) from starting a process? >>>I've a irc daemon running under the uid www. I think >>>this was done by php. What would be the best way to prevent >>>this (php should be remain usable)? I've installed ipfw rules, >>>but this doesn't prevent the starting of the process. > > >>Change the permissions on the file to not allow world execution? > > >>chmod 750 /path/to/irc-daemon > > >>and make sure it isn't owner by www user, and the www user is not in the >>group that owns the daemon. > > > Well that would mean that anyone else who might need to execute > that file can only do so if they 1) own it or 2) are in the group. > > To get around this change the modes of the program in a way that is > non-intuitive. > > Change the group of that daemon to www and the change the mode > to 705. Since this evaluates left to right it will fail at www > while all others will be able to use the file. This seems to be > overlooked by many who think that 'world' means everyone, while > it means everyone who doesn't match in owner or group. Ahh, great idea.. Unfortunately, his problem was worse than our solutions :( Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology A lost ounce of gold may be found, a lost moment of time never. ------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E645ED.8050408>