• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to disable a specific command for a specific user in Linux

By admin

Question: How to prevent a given user from being able to run a specific command.

This technique uses a filesystem access control list (ACL) to prevent unwanted access.

Caution: The sudo facility is not suitable for this purpose. In particular, “subtracting” an executable from the allowed ALL preset does not work as expected.

The example below prevents user john from creating any directories via the mkdir command. The steps are:

1. Find the absolute path to the command to be controlled:

# which mkdir
/bin/mkdir

2. Display the current ACL for that program:

# getfacl /bin/mkdir
# file: bin/mkdir
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

The user, group, and other entries correspond to the traditional file access permissions managed by the chmod command.

3. Add an access control rule for the user john:

# /bin/setfacl -m u:john:--- /bin/mkdir

4. View the updated access control:

# getfacl /bin/mkdir
getfacl: Removing leading '/' from absolute path names
# file: bin/mkdir
# owner: root
# group: root
user::rwx
user:john:---
group::r-x
mask::rwx
other::r-x

5. Test the setting:

# su - john
$ mkdir
-bash: /bin/mkdir: Permission denied

Consider adding an execution watch using the auditctl tool to augment this protection.

How to audit all Commands run on OEL 5,6 using auditd

Filed Under: Linux

Some more articles you might also be interested in …

  1. How to configure VNC Server on CentOS/RHEL 6
  2. How to make ethtool settings persistent across reboots in CentOS / RHEL 6,7
  3. Linux interview questions – Special permissions (SUID, SGID and sticky bit)
  4. How to Enable Debug Mode for Chronyd Service in CentOS/RHEL 8
  5. How to Enable X11 Forwarding on CentOS/RHEL 5,6,7
  6. CentOS / RHEL : Move a Physical Volume from an existing Volume Group to another Volume Group
  7. Understanding Variables in Bash Shell Under Linux
  8. How to make CentOS/RHEL 7 FIPS 140-2 compliant
  9. Linux OS Service ‘NetworkManagerDispatcher’
  10. Sample /etc/multipath.conf file

You May Also Like

Primary Sidebar

Recent Posts

  • How to disable ACPI in CentOS/RHEL 7
  • How to Use real-time query to access data on a physical standby database
  • CentOS/RHEL 8: “ACPI MEMORY OR I/O RESET_REG” Server Hung after reboot
  • How to Create a Physical Standby Database by Using SQL and RMAN Commands
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary