Re: preventing a user to start a process
From: Eric Anderson (anderson_at_centtech.com)
Date: 07/26/05
- Previous message: Bill Vermillion: "Re: preventing a user to start a process"
- In reply to: Bill Vermillion: "Re: preventing a user to start a process"
- Next in thread: Gustavo A. Baratto: "Re: preventing a user to start a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 26 Jul 2005 09:17:17 -0500 To: bv@wjv.com
Bill Vermillion wrote:
> -segmentation fault-
> press any key to reboot
> Damn damn damn Eric Anderson said, after restarting his
> PC and mailer on Mon, Jul 25, 2005 at 15:21 .
>
>
>>Thomas Krause wrote:
>>
>>>Hello,
>>>is it possible to bar a user (www) from starting a process?
>>>I've a irc daemon running under the uid www. I think
>>>this was done by php. What would be the best way to prevent
>>>this (php should be remain usable)? I've installed ipfw rules,
>>>but this doesn't prevent the starting of the process.
>
>
>>Change the permissions on the file to not allow world execution?
>
>
>>chmod 750 /path/to/irc-daemon
>
>
>>and make sure it isn't owner by www user, and the www user is not in the
>>group that owns the daemon.
>
>
> Well that would mean that anyone else who might need to execute
> that file can only do so if they 1) own it or 2) are in the group.
>
> To get around this change the modes of the program in a way that is
> non-intuitive.
>
> Change the group of that daemon to www and the change the mode
> to 705. Since this evaluates left to right it will fail at www
> while all others will be able to use the file. This seems to be
> overlooked by many who think that 'world' means everyone, while
> it means everyone who doesn't match in owner or group.
Ahh, great idea.. Unfortunately, his problem was worse than our
solutions :(
Eric
-- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology A lost ounce of gold may be found, a lost moment of time never. ------------------------------------------------------------------------ _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Bill Vermillion: "Re: preventing a user to start a process"
- In reply to: Bill Vermillion: "Re: preventing a user to start a process"
- Next in thread: Gustavo A. Baratto: "Re: preventing a user to start a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
