preventing a user to start a process

[Bill Vermillion]

-segmentation fault- 
press any key to reboot 
Damn damn damn Eric Anderson said, after restarting his 
PC and mailer on Mon, Jul 25, 2005 at 15:21 .

> Thomas Krause wrote:
> >Hello,
> >is it possible to bar a user (www) from starting a process?
> >I've a irc daemon running under the uid www. I think
> >this was done by php. What would be the best way to prevent
> >this (php should be remain usable)? I've installed ipfw rules,
> >but this doesn't prevent the starting of the process.

> Change the permissions on the file to not allow world execution?

> chmod 750 /path/to/irc-daemon

> and make sure it isn't owner by www user, and the www user is not in the 
> group that owns the daemon.

Well that would mean that anyone else who might need to execute
that file can only do so if they 1) own it or 2) are in the group.

To get around this change the modes of the program in a way that is
non-intuitive.

Change the group of that daemon to www and the change the mode
to 705.  Since this evaluates left to right it will fail at www
while all others will be able to use the file.  This seems to be
overlooked by many who think that 'world' means everyone, while
it means everyone who doesn't match in owner or group.

Bill

-- 
Bill Vermillion - bv @ wjv . com