How to set an executable white list?

Under Linux, is it possible to set a white-list of executables for a certain group of users? I need them to be unable to use, for example, make, gcc and executables on removable disks.
How can this be done?

Edit, let me explain better.

I'm dealing with a high school IT system, young geeks that (during the lessons) want to play, surf the net, damage those computer however they can. The major step to achieve this goal was to remove the system they're familiar with and install Ubuntu in all the computers. This actually works quite well, but recent events proved that this is not enough.
I want to allow them to execute certain safe programs, like Open Office, and to deny any other program, whether it is preinstalled software, something they carry in usb drives, a downloaded program or a script they program on site.
It's possible to remove the 'x' permission on any file on the pc, but of course it would be impractical. Furthermore, they would be able to run anything they download.
I thought the best solution would be to make a white-list of safe programs and to deny anything else, but I don't really know how to do it. Any idea is helpful.

izabera

Posted 2012-07-03T14:53:08.397

Reputation: 13

What are "removable supports"? – Fran – 2012-07-03T15:03:56.017

usb keys or storage devices users can plug in – izabera – 2012-07-03T15:09:43.907

Answers

Remove the OTHER permissions from the files in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin (etc, ad nauseum!)

Since their user isn't in the root group, they cannot run any programs.

To allow certain programs, set the OTHER permissions to r-x (5)... this will allow them to use that program.

You can also create a group and add certain users to this group. Changing the group of the program in question would allow access to THOSE users only. This would allow a more privileged set of students more leeway.

Of course, if, after ALL this... a few can still get online and do whatever... commend them! Congratulate them! Because they still know how to think and work things out.

I don't recommend a cart-blanche chmod of ALL the programs... you still need them to be able to log in, start the GUI and whatnot.

This really only raises the bar, as I can think of several ways to get around this. (But then again, I'm a bit farther down the learning path, I think.)

lornix

Posted 2012-07-03T14:53:08.397

Reputation: 9 633

Is there a way to block execution of everything from a removable drive? – Mnebuerquo – 2014-09-27T22:59:42.780

thanks for your hanswer. i would vote it up, but i've not enough reputation yet – izabera – 2012-07-06T20:22:45.090

I not clearly understand what do you mean, but if you would like to allow users from specific group to run certain commands then it can be done like this in /etc/sudoers:

%dev user=(root)NOPASSWD:/usr/bin/make, /usr/bin/gcc

defhlt

Posted 2012-07-03T14:53:08.397

Reputation: 900

That only works if they are using the sudo command. – lornix – 2012-07-06T06:48:42.857