Allow multiple values for EXEC_ROOT

[mdklatt]

Remote execution is a major security concern, and the purpose of EXEC_ROOT is to limit access to a single directory hierarchy. However, limiting this directive to a single value may encourage overly-broad access. For example, to allow access to both /usr/local/bin/foo and ~/bin/bar, EXEC_ROOT = "/" is required, which is dangerously insecure. A workaround would be use a symlink (e.g. ln -s /usr/local/bin/foo ~/bin/foo) and enable FOLLOW_LINKS, but this is also less secure.

EXEC_ROOT should also accept an array of root directories, e.g. EXEC_ROOT = ["/usr/local/bin", "~/bin"].

There also needs to be more fine-grained access control, such as a list of allowed commands.

[mdklatt]

There is a workaround for fine-grained access: Create a directory containing only links to allowed commands, and use that as EXEC_ROOT (FOLLOW_LINKS must be enabled). Maybe this is sufficient?