binary execute restrictions

Charles Swiger cswiger at
Wed Jan 14 13:33:51 PST 2004

On Jan 13, 2004, at 9:04 PM, Lowell Gilbert wrote:
> I suspect that a restricted shell isn't going to be appropriate in
> this case.  Restricted shells are useful for avoiding shooting
> yourself in the foot, but they're really not intended to be secure.

You're probably right that my suggestion is only a partial solution, 
but using a restricted shell and chroot()ing these users to a home 
directory that isn't owned/writable by that UID should come pretty 
close to solving the Original Poster's problem.

It might also be the case that the OP might be better off not 
generating "normal user accounts", but using application-specific user 
databases (such as found in software like Cyrus) to give controlled 
access to a particular service.


More information about the freebsd-questions mailing list