you can chgrp binaries and remove a user's permission to run them. Of course they can install their own binaries. Mounting /home noexec won't work either. You can try something like restricted shell, just make sure the user can't chsh to something else. As for bash and --restricted that's kind of useless (as someone mentioned you just need to spawn another bash). Chroot works but of course it's a total pain in the butt to do, and the user can still upload binaries/etc in any number of creative ways. There are a couple restricted shells floating aorund that allow you to make a list of what is allowed to run, but there are ways to get around that too (cron for example). Ultimately the best way is to use something like NSA SELinux but that requires a huge amount of effort. Bummer huh. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/