>: > Hi,
>: > I'd like to know if it is somehow possible to mount a filesystem 'noexec',
>: > so it doesn't allow execution of binaries on that disk. I'd like to use it
>: > to disallow users in our FreeNet environment to install binary's in their
>: > homedirectories and execute them.
>: Effectively what you want is to stop users executing files which are stored
>: in their home directories, right?
>: There would be nothing to stop them putting the binaries elsewhere, like in
>: /tmp and running them there.
>Sorry, I might not be entirely clear about what I meant. I wan't users to be
>able to execute the programs we provide (Lynx, Pine, nn, and a few other
>programs), and nothing else. Since our users have FTP access, to upload
>files for their homepgae, they could upload their own binaries, and execute
>them. We have build a chroot-environment, so normal users don't have access
>to the entire file-system.
>I want people to be able to execute the programs we provide, but not to be
>able to execute programs that they installed themselfs. So the ideal
>situation would be to have some filesystem which contains the executables,
>and isn't writable for normal users, and a filesystem which contains the
>user's homedirectories, in which they should be able to write, but not to
>De Digitale Stad - The Digital City
>Amsterdam, The Netherlands
Have you examined using a restricted shell? If ksh is invoked
using the '-r' flag, then the user's activitys can be greatly
restricted. You can create their own bin directories that contain
soft links to the actual binaries that you want them to be able to
execute. If their PATH variable is limited to this directory, then
they will not be able to execute anything outside of that.
Mark Tovey |
Unix System Admin | In the land of the dark, the Ship of the Sun is
NextLink, Portland OR | driven by the Grateful Dead.