≡ Menu

Linux / UNIX: Restrict Access To A Given Command

How do I restrict access to a given command for instance /opt/apps/start, to authorized users only under Linux / UNIX / BSD operating system?

You need to use traditional Unix groups concept to enhance security including restricted access to a given command.

Step # 1: Create and Maintain a Group For All Authorized Users

Create a group named appsonly:
# groupadd appsonly
Add all authorized users to appsonly:
# usermod -aG {groupName} {userName}
# usermod -aG appsonly tom
# usermod -aG appsonly jerry
# id jerry

Where,

  1. -a : Add the user to the supplemental group(s) i.e. appends the user to the current supplementary group list.
  2. -G : A list of supplementary groups which the user is also a member of.

Step #2: Restrict Access

Now a group of user had been created. Next, use the chgrp command to change the group of /opt/apps/start to appsonly group:
# chgrp {groupName} {/path/to/command}
# chgrp appsonly /opt/apps/start

Disable the file permission for others

Finally, use the chmod command to change file permission as follows:
# chmod 750 /path/to/command
# chmod 750 /opt/apps/start

You can also apply permissions to directory (this will disable ls command access to others) :
# chgrp appsonly /opt/apps
# chmod 0640 /opt/apps

Step # 3: Test It

su to tom, enter:
# su - tom
$ id
$ /opt/apps/start
$ exit

su to vivek (not a member of appsonly group), enter:
# su - vivek
$ id
$ /opt/apps/start

Sample outputs:

bash: /opt/apps/start: Permission denied

A Note About ACL and SELinux

The access control policies which can be enforced by chmod, chgrp, and usermod commands are limited, and configuring SELinux and fille system ACLs (access control list) is a better and recommend option for large deployments.

Recommend readings:

  • man page chgrp, groupadd, useradd, usermod, passwd, and group file.
Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 11 comments… add one }

  • rosgos October 4, 2009, 10:30 am

    In this case, root (or a user not restricted) must be the owner of /opt/apps/start.
    Other method would be only permitting access to group:

    # chmod 050 /opt/apps/start

    # chgrp appsonly /opt/apps
    # chmod 040 /opt/apps

    Albert.

  • name October 5, 2009, 10:59 am

    Can we also do the same using “SUDOERRS” file under /etc

    • Cody July 26, 2014, 12:14 pm

      Yes. In fact, you can even specify the EXACT command and that includes the arguments allowed. I.e., if you only want them to do one command you can restrict them to this. It is sudoers (note you had to r’s) by the way and it is in lowercase (Unix and therefore Linux IS case sensitive). Of course you use the other features too. BUT – and this is IMPORTANT – the difference is sudo is for running a command as another user. So it applies but only depending on what you’re after. So if you want user cody and user name to be able to run commands as themselves, then do something more like the article (I’m not going to get in to any other technical things on the article). Think of sudo as ‘su -c’ only more restrictive (for an easy if not too simplistic description).

  • yahya October 8, 2009, 4:14 pm

    how i can view the number open of file in unix

  • rosgos October 9, 2009, 7:08 am

    sudo lsof | wc -l ….. but it isn’t the question of this post

  • andriani octavianti October 27, 2014, 11:12 am

    i’ve done all those things but when i tested it using the user of the group member…it was error because of segmentation fault (core dumped)

    can anyone tell me why?
    thank you

    • Cody October 30, 2014, 4:02 pm

      SIGSEGV (signal segmentation violation, i.e., segfault) is sent to a process when it accesses a location outside of its address space (although there are ways to make it happen in your address space as well as sending it to the process in the source code but those aren’t the norm). Once the signal is received, in normal circumstances it will abort but as it does (as long as limits allow it, see ulimit -c) it will drop what is known as a core which is an image of the process at the time of the crash (stack, registers, variables, everything). You would have to do the following to get more help (but see note below too, this isn’t really the place for it I’m afraid):

      – What command and what args did you pass it ?

      If you do not know what a core dump is, however, and it is not a known bug in the program (often isn’t but sometimes is) then you would have to have someone help you (which again, this is not the place to do it, although I certainly know how) or better yet go through the process of reporting it as a bug (following their information on how to report it – simply informing them there was a segfault is not going to help them one bit and in fact would annoy them at best… especially as it isn’t always because of the program in question – I’ll skip the details because the point is the same: you need to give them more info than “it crashed”).

      But that is what a segfault is.

      • andriani octavianti October 30, 2014, 5:13 pm

        here’s the case…
        in 1 server…i made 1 user to which i restored some binaries.
        and those binaries are supposed to be executed by that user (user ex. “stg”) only.

        but then i made another user named “mon”.
        the purpose on creating that “mon” user is to be able to execute one of the binary owned by “stg”.

        i’ve tried to change “mon”‘s group into “stg”‘s group…so that they are in the same group.
        but even after that…when i try to execute the specified binary…it showed an error…”segmentation fault (core dumped)”.

        i’m just guessing (after some searching, actually)…that it happened because the “mon” user was trying to access another user’s file/directory.
        but..should it be okay to access/execute if they are in the same group?

        please do correct me if i’m wrong..
        thank you…

        and by the way…thank you for your reply and explanations

        • Cody October 30, 2014, 5:21 pm

          That would simply give the error code EACCES (yes, one S) which is to say permission denied (various reasons for this). So no, it shouldn’t be that. But seeing as how you don’t even mention the program name it is kind of hard to know. Best bet – because again this isn’t support forum – is to go to the developer and give the most accurate explanation you can (which includes the exact steps to reproduce) and I’m afraid they’ll likely want the backtrace of the coredump (either they have the steps or you’ll have to look it up… that is what I was referring to.. I know how but I’m a long time programmer… but it is very useful in solving crashes for the reasons I also gave). In the end there isn’t much anyone here can do beyond that.

          And you’re very welcome for the explanation.

          • andriani octavianti October 30, 2014, 5:43 pm

            hehehehe….this is my former boss’ program (i emailed him too according to this error)…that’s why i cant say much.
            i can do the debugging and backtrace if the error occurred when i execute it from the “stg” user…coz it’s the proper user to execute it.

            main user : stg
            main group : stg
            stg have folder : bin
            inside directory bin : start
            >> /home/stg/bin/start

            2nd user : mon
            2nd group : stg
            purpose : user stg wants to be able to execute binary “start” on stg’s bin directory
            >> /home/mon/bin

            but…it should be okay to access another directory or execute another binary if the users are in the same group, right?

            let me try to give some raw descriptions…

            btw…i tried your step by step in this page…but on the 3rd step..nothing happened…

            thank you soo very very much in advance (even for reading my confusing explainations)

            • Cody October 30, 2014, 6:03 pm

              First, I’ll make this the last response because it really isn’t a support forum and the fact it is (seemingly) proprietary program there isn’t anyway for us to debug it (and again: no support forum). Second, I didn’t write the article here. Third, the group would need execute permission (and keep in mind directory permissions too). Fourth, if it “is the user” then it is likely something else. There is a problem in the program somewhere and that is that (just like faulty RAM can make it seem like programs have bugs in it, so too can a program that is writing out of its address space. When you are corrupting memory what seems to be the case is not guaranteed to be true). Aside that I can only offer:
              man chmod
              man chown
              man chdir
              … read it, understand permissions (execute, read for both regular files and directories) and then you can continue (but not here). Again, you need to go to the person responsible for the crash and no-one here is. I’ll leave you one last bit of advice (or a point) from personal experience over many years: debugging is an art form. It isn’t a science… it is an art. And while you can master it you can get better and better but unless you have the background you won’t get far. The last bit applies elsewhere. That is why I refer you to the man pages to understand permissions. Correspond with the author of the program because that’s the only way to fix it. The discussion will not solve it and it is only littering the comments (and that is putting it nicely).

              Good luck and sorry but that is all I can offer. I already went too far off the point of this article – I only really meant to explain what a segfault is so you could actually go forward (and nothing else). But it isn’t the setup in this article that is the problem (even if it seems like it to you).

Leave a Comment