Preventing users from running certain programs

Is it possible to prevent users from running certain programs on their Linux computers? Is there a whitelist method? A blacklist?

The simple solution may be to simply remove execute permissions on system binaries. If you want to prevent users from compiling things or running things from directories they have write access you can create a separate partition and mount those file-systems with the noexec option.

man mount (noexec option)

Do not allow direct execution of any binaries on the mounted file system. (Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)

I believe another way to accomplish this you would need to use something like AppArmor or SELinux.

The answer to this depends on if you want a blacklist or whitelist solution.

Whitelist is actually fairly easy. Use the same approach that Ubuntu and many other distros use. Create a group for a particular program or group of programs, set the group of the executable to that and then add users to that group if you want them to be able to access it. This is how access to sudo, printers and a whole host of other things are done on Ubuntu (and other distros).

Blacklist is actually harder but that's not such a bad thing imho. Blacklist I think is inherently less secure. In fact I can't really think of a way of doing it that doesn't treat is like a pseudo-whitelist ie everyone is a member of the relevant group and you just remove those you don't want.