Date: Tue, 13 Jan 2004 17:08:44 -0500 From: Charles Swiger <cswiger@mac.com> To: Jefferson San Juan <Jefferson.San.Juan@hiMolde.no> Cc: freebsd-questions@freebsd.org Subject: Re: binary execute restrictions Message-ID: <0D7DAA44-4615-11D8-AA98-003065ABFD92@mac.com> In-Reply-To: <000d01c3d980$5521b6e0$5858269e@JANELLE> References: <000d01c3d980$5521b6e0$5858269e@JANELLE>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 12, 2004, at 9:52 PM, Jefferson San Juan wrote:
> How do I restrict normal users from executing their own compiled
> executable
> binary files?
Give them a "restricted shell" which limits the commands they can run
to ones you specify. See "man zshall" for one example, although other
restricted shells exist which might come closer to what you want than
ZSH particularly:
RESTRICTED SHELL
When the basename of the command used to invoke zsh starts
with the
letter `r' or the `-r' command line option is supplied at
invocation,
the shell becomes restricted. Emulation mode is determined
after
stripping the letter `r' from the invocation name. The
following are
disabled in restricted mode:
o changing directories with the cd builtin
o changing or unsetting the PATH, path, MODULE_PATH,
module_path,
SHELL, HISTFILE, HISTSIZE, GID, EGID, UID, EUID,
USERNAME,
LD_LIBRARY_PATH, LD_AOUT_LIBRARY_PATH, LD_PRELOAD
and
LD_AOUT_PRELOAD parameters
o specifying command names containing /
o specifying command pathnames using hash
o redirecting output to files
o using the exec builtin command to replace the shell with
another
command
o using jobs -Z to overwrite the shell process' argument
and envi-
ronment space
o using the ARGV0 parameter to override argv[0] for
external com-
mands
o turning off restricted mode with set +r or unsetopt
RESTRICTED
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0D7DAA44-4615-11D8-AA98-003065ABFD92>