Date: Mon, 10 Jul 1995 11:49:02 -0700 (PDT) From: Brant Katkansky <bmk@dtr.com> To: security@freebsd.org Subject: FreeBSD group execute permission Message-ID: <199507101849.LAA08285@everest>
next in thread | raw e-mail | index | archive | help
At my site, I want to be able to have two classes of users: normal users with access to a full suite of binaries, and restricted users with a limited selection of binaries. Due to some additional requirements, a chroot environment is not desirable. One way I've thought of to do this is to assign all of the restricted users to group 'restrict' and make all the system bin directories "chgrp restrict" with no group read or execute permission. In other words: directory /usr/local/bin owner=bin group=restrict mode=0505 An additional directory with unrestricted binaries would be provided: directory /usr/local/rbin owner=bin group=bin mode=0555 The users in the restricted group would have no shell or ftp access, so should not be able to load thier own binaries. Access would be provided via a menu, and only "safe" programs would be allowed. I've tested this method and it appears to achieve what I want, but I'd like to know a few things: * is there a better way? * are there additional security concerns?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199507101849.LAA08285>