From owner-freebsd-isp@FreeBSD.ORG Tue Jul 26 14:17:31 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DAFA16A41F for ; Tue, 26 Jul 2005 14:17:31 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from mh2.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE4A243D45 for ; Tue, 26 Jul 2005 14:17:30 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by mh2.centtech.com (8.13.1/8.13.1) with ESMTP id j6QEHKB8096283; Tue, 26 Jul 2005 09:17:20 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <42E645ED.8050408@centtech.com> Date: Tue, 26 Jul 2005 09:17:17 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050603 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bv@wjv.com References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com> <20050726141149.GC14374@wjv.com> In-Reply-To: <20050726141149.GC14374@wjv.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2005 14:17:31 -0000 Bill Vermillion wrote: > -segmentation fault- > press any key to reboot > Damn damn damn Eric Anderson said, after restarting his > PC and mailer on Mon, Jul 25, 2005 at 15:21 . > > >>Thomas Krause wrote: >> >>>Hello, >>>is it possible to bar a user (www) from starting a process? >>>I've a irc daemon running under the uid www. I think >>>this was done by php. What would be the best way to prevent >>>this (php should be remain usable)? I've installed ipfw rules, >>>but this doesn't prevent the starting of the process. > > >>Change the permissions on the file to not allow world execution? > > >>chmod 750 /path/to/irc-daemon > > >>and make sure it isn't owner by www user, and the www user is not in the >>group that owns the daemon. > > > Well that would mean that anyone else who might need to execute > that file can only do so if they 1) own it or 2) are in the group. > > To get around this change the modes of the program in a way that is > non-intuitive. > > Change the group of that daemon to www and the change the mode > to 705. Since this evaluates left to right it will fail at www > while all others will be able to use the file. This seems to be > overlooked by many who think that 'world' means everyone, while > it means everyone who doesn't match in owner or group. Ahh, great idea.. Unfortunately, his problem was worse than our solutions :( Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology A lost ounce of gold may be found, a lost moment of time never. ------------------------------------------------------------------------