Date: Tue, 26 Jul 2005 10:11:49 -0400 From: Bill Vermillion <bv@wjv.com> To: Eric Anderson <anderson@centtech.com> Cc: freebsd-isp@freebsd.org Subject: Re: preventing a user to start a process Message-ID: <20050726141149.GC14374@wjv.com> In-Reply-To: <42E549E7.4070606@centtech.com> References: <42E54654.1090705@chef-ingenieur.de> <42E549E7.4070606@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-segmentation fault- press any key to reboot Damn damn damn Eric Anderson said, after restarting his PC and mailer on Mon, Jul 25, 2005 at 15:21 . > Thomas Krause wrote: > >Hello, > >is it possible to bar a user (www) from starting a process? > >I've a irc daemon running under the uid www. I think > >this was done by php. What would be the best way to prevent > >this (php should be remain usable)? I've installed ipfw rules, > >but this doesn't prevent the starting of the process. > Change the permissions on the file to not allow world execution? > chmod 750 /path/to/irc-daemon > and make sure it isn't owner by www user, and the www user is not in the > group that owns the daemon. Well that would mean that anyone else who might need to execute that file can only do so if they 1) own it or 2) are in the group. To get around this change the modes of the program in a way that is non-intuitive. Change the group of that daemon to www and the change the mode to 705. Since this evaluates left to right it will fail at www while all others will be able to use the file. This seems to be overlooked by many who think that 'world' means everyone, while it means everyone who doesn't match in owner or group. Bill -- Bill Vermillion - bv @ wjv . com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050726141149.GC14374>