Question: How to prevent a given user from being able to run a specific command.
This technique uses a filesystem access control list (ACL) to prevent unwanted access.
The example below prevents user john from creating any directories via the mkdir command. The steps are:
1. Find the absolute path to the command to be controlled:
# which mkdir /bin/mkdir
2. Display the current ACL for that program:
# getfacl /bin/mkdir # file: bin/mkdir # owner: root # group: root user::rwx group::r-x other::r-x
The user, group, and other entries correspond to the traditional file access permissions managed by the chmod command.
3. Add an access control rule for the user john:
# /bin/setfacl -m u:john:--- /bin/mkdir
4. View the updated access control:
# getfacl /bin/mkdir getfacl: Removing leading '/' from absolute path names # file: bin/mkdir # owner: root # group: root user::rwx user:john:--- group::r-x mask::rwx other::r-x
5. Test the setting:
# su - john $ mkdir -bash: /bin/mkdir: Permission denied
Consider adding an execution watch using the auditctl tool to augment this protection.