The simple solution may be to simply remove execute permissions on system binaries. If you want to prevent users from compiling things or running things from directories they have write access you can create a separate partition and mount those file-systems with the noexec option.
man mount (noexec option)
Do not allow direct execution of any
binaries on the mounted file system.
(Until recently it was possible to run
binaries anyway using a command like
/lib/ld*.so /mnt/binary. This trick
fails since Linux 2.4.25 / 2.6.0.)
I believe another way to accomplish this you would need to use something like AppArmor or SELinux.
The answer to this depends on if you want a blacklist or whitelist solution.
Whitelist is actually fairly easy. Use the same approach that Ubuntu and many other distros use. Create a group for a particular program or group of programs, set the group of the executable to that and then add users to that group if you want them to be able to access it. This is how access to sudo, printers and a whole host of other things are done on Ubuntu (and other distros).
Blacklist is actually harder but that's not such a bad thing imho. Blacklist I think is inherently less secure. In fact I can't really think of a way of doing it that doesn't treat is like a pseudo-whitelist ie everyone is a member of the relevant group and you just remove those you don't want.
You can probably hack something together with standard *nix permissions and groups.
However, if you need something more than that, you probably want to google POSIX ACLs. Most (all?) major Linux filesystems support them, and they give you a lot of additional control and granularity.
If you want to give people limited shell access, take a look at rbash. It offers various limitations to the user. Also take a look at PAM's limits.conf (/etc/securit/limits.conf on Ubuntu). The third option is creating a jail/chroot environment for your users where you decide exactly what binaries and libraries they have access to.
Others have also pointed out using permissions, noexec and ACL to achieve this. Really depends on your needs, what solution is the best.
Probably not. It depends on what "certain programs" means. If a user has an interactive shell that is useful, they can install almost any software they want. But if you don't want them to be able to run a particular copy of software you have already installed, ordinary file permissions will work just fine. For example, create a group "xmmsblacklist", chmod 705 /usr/bin/xmms, chgrp xmmsblacklist /usr/bin/xmms, and add the users to that group.
The simple solution may be to simply remove execute permissions on system binaries. If you want to prevent users from compiling things or running things from directories they have write access you can create a separate partition and mount those file-systems with the noexec option.
man mount (noexec option)
I believe another way to accomplish this you would need to use something like AppArmor or SELinux.
The answer to this depends on if you want a blacklist or whitelist solution.
Whitelist is actually fairly easy. Use the same approach that Ubuntu and many other distros use. Create a group for a particular program or group of programs, set the group of the executable to that and then add users to that group if you want them to be able to access it. This is how access to sudo, printers and a whole host of other things are done on Ubuntu (and other distros).
Blacklist is actually harder but that's not such a bad thing imho. Blacklist I think is inherently less secure. In fact I can't really think of a way of doing it that doesn't treat is like a pseudo-whitelist ie everyone is a member of the relevant group and you just remove those you don't want.
Use groups and deny execute on the programs. Or are you looking for more than that?
You can probably hack something together with standard *nix permissions and groups.
However, if you need something more than that, you probably want to google POSIX ACLs. Most (all?) major Linux filesystems support them, and they give you a lot of additional control and granularity.
If you want to give people limited shell access, take a look at rbash. It offers various limitations to the user. Also take a look at PAM's limits.conf (/etc/securit/limits.conf on Ubuntu). The third option is creating a jail/chroot environment for your users where you decide exactly what binaries and libraries they have access to.
Others have also pointed out using permissions, noexec and ACL to achieve this. Really depends on your needs, what solution is the best.
Probably not. It depends on what "certain programs" means. If a user has an interactive shell that is useful, they can install almost any software they want. But if you don't want them to be able to run a particular copy of software you have already installed, ordinary file permissions will work just fine. For example, create a group "xmmsblacklist", chmod 705 /usr/bin/xmms, chgrp xmmsblacklist /usr/bin/xmms, and add the users to that group.