Restricting user's ability to execute binaries in home directory.

Mon, 11 Jun 2001 13:48:57 -0700

There is a mode that you can kick bash into that will allow you to set a lot
of what you want.  I have never actually used it, but it looks like it might
give you want you want.   It almost might call for a recompile of bash with
some different flags.  Then you just have a new bash binary that you point
the non-trusted uses too.

Brian Cluff

> I am in the process of opening up my personal server to other people to
> store files and receive e-mail.  The problem is that I do not want all
> of them to be able to execute binaries from their home directories.  (I
> consider this a security risk.)  Some of the people are trusted users
> and I do want them to ab able to execute binaries.
>
> So far the only way I have seen to restrict arbitrary execution is with
> the noexec option in the /etc/fstab.  Unfortunately this also prevents
> my trusted users from executing their programs.  Any suggestions?
>
>
> --
> Chris Lewis
> Tesla Systems
> shadow@digitalnirvana.com
> ----------------------------------------
> You want what?? When??  And how cold is it in Hell today?
> ----------------------------------------
>
> The following code is a PERL script capable of decoding a CSS (Content
> Scrambling System) encrypted DVD in real time.  This is illegal to
> possess in the US according to the Digital Millennium Copyright Act, a
> set of laws passed by anonymous vote in congress in 1998.  The Motion
> Picture Association of America (MPAA) is opposed to the distribution of
> this software because it allows the owners of CSS encrypted DVDs to
> exercise their long-standing fair use rights with new digital
> technologies.  For more information, please visit:
> http://www.opendvd.org/
>
> #!/usr/bin/perl -w
> # 526-byte qrpff, Keith Winstein and Marc Horowitz
> <sipb-iap-dvd@mit.edu>
> # MPEG 2 PS VOB file on stdin -> descrambled output on stdout
> # arguments: title key bytes in least to most-significant order
> $_='while(read+STDIN,$_,2048){$a=29;$c=142;if((@a=unx"C*",$_)[20]&48){$h=5
;
>
$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
> unxV,xb25,$_;$b=73;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=($t=255)&($d
> >>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9
> ,$_=(map{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t
>
^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271)
)
>
[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eva
l
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss