On Sat, 6 Nov 2004 00:13:28 +0100, Osamu Aoki <[EMAIL PROTECTED]> wrote: > > Is there an easy way to limit the commands a certain group of users > > can execute? I've looked at chroot, and it's too complicated for my > > needs and seems too easy to circumvent; users will be able to upload > > their own Perl scripts, so it seems that they'll be able to access > > commands outside their chroot by getting Apache w/ mod_perl to execute > > the script. > > Is is so?
Indeed. A chroot would only apply to a user if they were logged into the system. Let's say I wanted to prevent users executing the command "bad_command". Well, if "bad_command" was not available to a user in their chroot, they wouldn't be able to execute it. However, a user might write a Perl script that contained the following line: system("bad_command"); If they got Apache to execute the script, the "bad_command" would be run. This is the reason why I'm trying to approach this problem from a permissions standpoint. Of course, someone might suggest running an Apache daemon inside each user's chroot, but that's really impractical... > Use of chroot with bash started as rbash sems to be what you need. > > Or use of rbash with with PATH pointing to custom location where > commands exist. See the example above. Users would still be able to upload their own Perl scripts and get Apache to execute them without restriction - the Perl script could call commands that I want to ban the users from executing. -Stephen Le -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]