From owner-freebsd-isp@FreeBSD.ORG  Mon Jul 25 20:22:13 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6507816A41F
	for <freebsd-isp@freebsd.org>; Mon, 25 Jul 2005 20:22:13 +0000 (GMT)
	(envelope-from anderson@centtech.com)
Received: from mh1.centtech.com (moat3.centtech.com [207.200.51.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CBC2743D49
	for <freebsd-isp@freebsd.org>; Mon, 25 Jul 2005 20:22:12 +0000 (GMT)
	(envelope-from anderson@centtech.com)
Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220])
	by mh1.centtech.com (8.13.1/8.13.1) with ESMTP id j6PKM0Yd099981;
	Mon, 25 Jul 2005 15:22:02 -0500 (CDT)
	(envelope-from anderson@centtech.com)
Message-ID: <42E549E7.4070606@centtech.com>
Date: Mon, 25 Jul 2005 15:21:59 -0500
From: Eric Anderson <anderson@centtech.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050603
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Thomas Krause <freebsd-isp@chef-ingenieur.de>
References: <42E54654.1090705@chef-ingenieur.de>
In-Reply-To: <42E54654.1090705@chef-ingenieur.de>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.82/991/Mon Jul 25 03:55:11 2005 on mh1.centtech.com
X-Virus-Status: Clean
Cc: freebsd-isp@freebsd.org
Subject: Re: preventing a user to start a process
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2005 20:22:13 -0000

Thomas Krause wrote:
> Hello,
> is it possible to bar a user (www) from starting a process?
> I've a irc daemon running under the uid www. I think
> this was done by php. What would be the best way to prevent
> this (php should be remain usable)? I've installed ipfw rules,
> but this doesn't prevent the starting of the process.

Change the permissions on the file to not allow world execution?

chmod 750 /path/to/irc-daemon

and make sure it isn't owner by www user, and the www user is not in the 
group that owns the daemon.

Eric



-- 
------------------------------------------------------------------------
Eric Anderson        Sr. Systems Administrator        Centaur Technology
A lost ounce of gold may be found, a lost moment of time never.
------------------------------------------------------------------------