[K12OSN] Basic Questions
Shahms King
shahms at shahms.com
Wed Oct 25 23:13:37 UTC 2006
Robert Arkiletian wrote:
*snip*
>
> When I want to restrict a program to a certain group. For example only
> allow a certain group to run firefox.
>
> 1) create a new group called firefox (system-config-users)
> 2) Add firefox group to all who you wish permission to run it
> 3) change group of firefox binary to firefox (chgrp firefox
> /usr/bin/firefox)
> 4) change permission of firefox binary (chmod 754 /usr/bin/firefox)
Note that this will only prevent people from running that particular
firefox executable. To keep people from running the installed firefox
you'll also need to remove the 'other' read permission (chmod 750) or
they can just cp the binary elsewhere and execute that. Also, in the
particular case of firefox, /usr/bin/firefox is usually a shell script
or a symlink to a shell script in which case it can still be "executed"
even without execute permission by running 'bash /usr/bin/firefox'. To
truly restrict execution to a specific group you'll need to chmod 750
the real executable (/usr/lib/firefox*/firefox-bin).
--Shahms
More information about the K12OSN
mailing list