• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to disable a specific command for a specific user in Linux

by admin

Question: How to prevent a given user from being able to run a specific command.

This technique uses a filesystem access control list (ACL) to prevent unwanted access.

Caution: The sudo facility is not suitable for this purpose. In particular, “subtracting” an executable from the allowed ALL preset does not work as expected.

The example below prevents user john from creating any directories via the mkdir command. The steps are:

1. Find the absolute path to the command to be controlled:

# which mkdir
/bin/mkdir

2. Display the current ACL for that program:

# getfacl /bin/mkdir
# file: bin/mkdir
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

The user, group, and other entries correspond to the traditional file access permissions managed by the chmod command.

3. Add an access control rule for the user john:

# /bin/setfacl -m u:john:--- /bin/mkdir

4. View the updated access control:

# getfacl /bin/mkdir
getfacl: Removing leading '/' from absolute path names
# file: bin/mkdir
# owner: root
# group: root
user::rwx
user:john:---
group::r-x
mask::rwx
other::r-x

5. Test the setting:

# su - john
$ mkdir
-bash: /bin/mkdir: Permission denied

Consider adding an execution watch using the auditctl tool to augment this protection.

How to audit all Commands run on OEL 5,6 using auditd

Filed Under: Linux

Some more articles you might also be interested in …

  1. how to rotate Tang Server Keys and update the Clevis Client
  2. How to Trace Python Scripts using trace.py
  3. CentOS / RHEL : How to collect sosreport
  4. A File Is Claimed to Be Disappearing – How to monitor a file for deletion in Linux
  5. echo Command Examples in Linux
  6. How to move /tmp on a separate disk as a separate mount point (Online)
  7. Nginx load balancing
  8. How To Calculate The Memory Reserved By HugePages in CentOS/RHEL
  9. How to find which rpm package provides a specific file or library in RHEL / CentOS
  10. How to Create, restore, and delete snapshots of virtual machine images in RedHat Virtualization

You May Also Like

Primary Sidebar

Recent Posts

  • JavaFX ComboBox: Set a value to the combo box
  • Nginx load balancing
  • nginx 504 gateway time-out
  • Images preview with ngx_http_image_filter_module

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright