prevent bash from running user defined binary

Question

In our cluster with PBS batch system (torque) installed, we want all the users to execute their jobs by qsub so that the CPU resources can be well managed. However, we found that users in our cluster can still run their programs directly in their bash shell.

I have noticed that some other cluster systems have restricted users from running their own binary. Their command prompt is different from full privileged command prompt.(starting from ~>)

qczhan2@barrine1:~>echo $0
-bash

In their configuration, users can run basic commands, like ls, pwd, cp, and 'cd' to system folders, but when users run their own binary, the system states "permission not allowed." It is also necessary to mention that if one tries to call user-owned binary using any mpi command, it is also not allowed either.

For example:

qczhan2@barrine1:~>mpiexec -n 64 ./abc.out
permission denied

where abc.out is a user-defined binary file.

I am just wondering how to configure the system to be like that?

Answer 1

If you use Linux: mount filesystems where users have write permission (e.g. /home, /tmp, /var/tmp, /dev/shm) with option "noexec".

Answer 2

You want to change the default shell for all your users from /bin/bash to:

/bin/bash -r

so their shell becomes a restricted shell. Amonst other restriction the users are not allowed to cd, set or unset PATH or issue commands containing /. This locks them into only running commands you give them access to.