Linux / UNIX: Restrict Access To A Given Command

by on October 3, 2009 · 5 comments· LAST UPDATED October 3, 2009

in , ,

How do I restrict access to a given command for instance /opt/apps/start, to authorized users only under Linux / UNIX / BSD operating system?

You need to use traditional Unix groups concept to enhance security including restricted access to a given command.

Step # 1: Create and Maintain a Group For All Authorized Users

Create a group named appsonly:
# groupadd appsonly
Add all authorized users to appsonly:
# usermod -aG {groupName} {userName}
# usermod -aG appsonly tom
# usermod -aG appsonly jerry
# id jerry

Where,

  1. -a : Add the user to the supplemental group(s) i.e. appends the user to the current supplementary group list.
  2. -G : A list of supplementary groups which the user is also a member of.

Step #2: Restrict Access

Now a group of user had been created. Next, use the chgrp command to change the group of /opt/apps/start to appsonly group:
# chgrp {groupName} {/path/to/command}
# chgrp appsonly /opt/apps/start

Disable the file permission for others

Finally, use the chmod command to change file permission as follows:
# chmod 750 /path/to/command
# chmod 750 /opt/apps/start

You can also apply permissions to directory (this will disable ls command access to others) :
# chgrp appsonly /opt/apps
# chmod 0640 /opt/apps

Step # 3: Test It

su to tom, enter:
# su - tom
$ id
$ /opt/apps/start
$ exit

su to vivek (not a member of appsonly group), enter:
# su - vivek
$ id
$ /opt/apps/start

Sample outputs:

bash: /opt/apps/start: Permission denied

A Note About ACL and SELinux

The access control policies which can be enforced by chmod, chgrp, and usermod commands are limited, and configuring SELinux and fille system ACLs (access control list) is a better and recommend option for large deployments.

Recommend readings:

  • man page chgrp, groupadd, useradd, usermod, passwd, and group file.
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 5 comments… read them below or add one }

1 rosgos October 4, 2009 at 10:30 am

In this case, root (or a user not restricted) must be the owner of /opt/apps/start.
Other method would be only permitting access to group:

# chmod 050 /opt/apps/start

# chgrp appsonly /opt/apps
# chmod 040 /opt/apps

Albert.

Reply

2 name October 5, 2009 at 10:59 am

Can we also do the same using “SUDOERRS” file under /etc

Reply

3 Cody July 26, 2014 at 12:14 pm

Yes. In fact, you can even specify the EXACT command and that includes the arguments allowed. I.e., if you only want them to do one command you can restrict them to this. It is sudoers (note you had to r’s) by the way and it is in lowercase (Unix and therefore Linux IS case sensitive). Of course you use the other features too. BUT – and this is IMPORTANT – the difference is sudo is for running a command as another user. So it applies but only depending on what you’re after. So if you want user cody and user name to be able to run commands as themselves, then do something more like the article (I’m not going to get in to any other technical things on the article). Think of sudo as ‘su -c’ only more restrictive (for an easy if not too simplistic description).

Reply

4 yahya October 8, 2009 at 4:14 pm

how i can view the number open of file in unix

Reply

5 rosgos October 9, 2009 at 7:08 am

sudo lsof | wc -l ….. but it isn’t the question of this post

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous Faq:

Next Faq: