I want to prevent anyone from uploading and running their own binaries. The idea is simply to make sure that all partitions where users have write access will be mounted with the noexec flag.
And "noexec" is no way to prevent anybody from executing own binaries, they can still do.
Oh, you wanted an answer to _that_ question. =) Ok several ways I see of doing it: chroot. dump the user into /home/username, with a basic command shell (bash) and any utilities they need, chances are it's relatively little. Statically compile everyything so there's no /lib/, yadaya. SOmeone posted chroot patches for telnet to linux-security-audit a few weeks back. I wouldn't try this unless you're a glutton for punishment, it will be PAINFULL to setup. Don't do it, put the challupah down. A restricted shell like... http://www.whizziwig.com/drsh.shtml I haven't used this, but it looks like it might do the trick. Other solutions come to mind but they involve some voodoo magic and software that isn't really public/easily available or "compatible" with SuSE (you'd end up with a new distro basically). You prolly also want to limit what the users can do memory/cpu wise: http://www.sysadminmag.com/current/feature.shtml You may applaud at will ;)
oki,
Steffen
-Kurt