Linux / UNIX: Restrict Access To A Given Command

by on October 3, 2009 · 11 comments· LAST UPDATED October 3, 2009

in , ,

How do I restrict access to a given command for instance /opt/apps/start, to authorized users only under Linux / UNIX / BSD operating system?

You need to use traditional Unix groups concept to enhance security including restricted access to a given command.

Step # 1: Create and Maintain a Group For All Authorized Users

Create a group named appsonly:
# groupadd appsonly
Add all authorized users to appsonly:
# usermod -aG {groupName} {userName}
# usermod -aG appsonly tom
# usermod -aG appsonly jerry
# id jerry

Where,

  1. -a : Add the user to the supplemental group(s) i.e. appends the user to the current supplementary group list.
  2. -G : A list of supplementary groups which the user is also a member of.

Step #2: Restrict Access

Now a group of user had been created. Next, use the chgrp command to change the group of /opt/apps/start to appsonly group:
# chgrp {groupName} {/path/to/command}
# chgrp appsonly /opt/apps/start

Disable the file permission for others

Finally, use the chmod command to change file permission as follows:
# chmod 750 /path/to/command
# chmod 750 /opt/apps/start

You can also apply permissions to directory (this will disable ls command access to others) :
# chgrp appsonly /opt/apps
# chmod 0640 /opt/apps

Step # 3: Test It

su to tom, enter:
# su - tom
$ id
$ /opt/apps/start
$ exit

su to vivek (not a member of appsonly group), enter:
# su - vivek
$ id
$ /opt/apps/start

Sample outputs:

bash: /opt/apps/start: Permission denied

A Note About ACL and SELinux

The access control policies which can be enforced by chmod, chgrp, and usermod commands are limited, and configuring SELinux and fille system ACLs (access control list) is a better and recommend option for large deployments.

Recommend readings:

  • man page chgrp, groupadd, useradd, usermod, passwd, and group file.
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 11 comments… read them below or add one }

1 rosgos October 4, 2009 at 10:30 am

In this case, root (or a user not restricted) must be the owner of /opt/apps/start.
Other method would be only permitting access to group:

# chmod 050 /opt/apps/start

# chgrp appsonly /opt/apps
# chmod 040 /opt/apps

Albert.

Reply

2 name October 5, 2009 at 10:59 am

Can we also do the same using “SUDOERRS” file under /etc

Reply

3 Cody July 26, 2014 at 12:14 pm

Yes. In fact, you can even specify the EXACT command and that includes the arguments allowed. I.e., if you only want them to do one command you can restrict them to this. It is sudoers (note you had to r’s) by the way and it is in lowercase (Unix and therefore Linux IS case sensitive). Of course you use the other features too. BUT – and this is IMPORTANT – the difference is sudo is for running a command as another user. So it applies but only depending on what you’re after. So if you want user cody and user name to be able to run commands as themselves, then do something more like the article (I’m not going to get in to any other technical things on the article). Think of sudo as ‘su -c’ only more restrictive (for an easy if not too simplistic description).

Reply

4 yahya October 8, 2009 at 4:14 pm

how i can view the number open of file in unix

Reply

5 rosgos October 9, 2009 at 7:08 am

sudo lsof | wc -l ….. but it isn’t the question of this post

Reply

6 andriani octavianti October 27, 2014 at 11:12 am

i’ve done all those things but when i tested it using the user of the group member…it was error because of segmentation fault (core dumped)

can anyone tell me why?
thank you

Reply

7 Cody October 30, 2014 at 4:02 pm

SIGSEGV (signal segmentation violation, i.e., segfault) is sent to a process when it accesses a location outside of its address space (although there are ways to make it happen in your address space as well as sending it to the process in the source code but those aren’t the norm). Once the signal is received, in normal circumstances it will abort but as it does (as long as limits allow it, see ulimit -c) it will drop what is known as a core which is an image of the process at the time of the crash (stack, registers, variables, everything). You would have to do the following to get more help (but see note below too, this isn’t really the place for it I’m afraid):

– What command and what args did you pass it ?

If you do not know what a core dump is, however, and it is not a known bug in the program (often isn’t but sometimes is) then you would have to have someone help you (which again, this is not the place to do it, although I certainly know how) or better yet go through the process of reporting it as a bug (following their information on how to report it – simply informing them there was a segfault is not going to help them one bit and in fact would annoy them at best… especially as it isn’t always because of the program in question – I’ll skip the details because the point is the same: you need to give them more info than “it crashed”).

But that is what a segfault is.

Reply

8 andriani octavianti October 30, 2014 at 5:13 pm

here’s the case…
in 1 server…i made 1 user to which i restored some binaries.
and those binaries are supposed to be executed by that user (user ex. “stg”) only.

but then i made another user named “mon”.
the purpose on creating that “mon” user is to be able to execute one of the binary owned by “stg”.

i’ve tried to change “mon”‘s group into “stg”‘s group…so that they are in the same group.
but even after that…when i try to execute the specified binary…it showed an error…”segmentation fault (core dumped)”.

i’m just guessing (after some searching, actually)…that it happened because the “mon” user was trying to access another user’s file/directory.
but..should it be okay to access/execute if they are in the same group?

please do correct me if i’m wrong..
thank you…

and by the way…thank you for your reply and explanations

Reply

9 Cody October 30, 2014 at 5:21 pm

That would simply give the error code EACCES (yes, one S) which is to say permission denied (various reasons for this). So no, it shouldn’t be that. But seeing as how you don’t even mention the program name it is kind of hard to know. Best bet – because again this isn’t support forum – is to go to the developer and give the most accurate explanation you can (which includes the exact steps to reproduce) and I’m afraid they’ll likely want the backtrace of the coredump (either they have the steps or you’ll have to look it up… that is what I was referring to.. I know how but I’m a long time programmer… but it is very useful in solving crashes for the reasons I also gave). In the end there isn’t much anyone here can do beyond that.

And you’re very welcome for the explanation.

Reply

10 andriani octavianti October 30, 2014 at 5:43 pm

hehehehe….this is my former boss’ program (i emailed him too according to this error)…that’s why i cant say much.
i can do the debugging and backtrace if the error occurred when i execute it from the “stg” user…coz it’s the proper user to execute it.

main user : stg
main group : stg
stg have folder : bin
inside directory bin : start
>> /home/stg/bin/start

2nd user : mon
2nd group : stg
purpose : user stg wants to be able to execute binary “start” on stg’s bin directory
>> /home/mon/bin

but…it should be okay to access another directory or execute another binary if the users are in the same group, right?

let me try to give some raw descriptions…

btw…i tried your step by step in this page…but on the 3rd step..nothing happened…

thank you soo very very much in advance (even for reading my confusing explainations)

Reply

11 Cody October 30, 2014 at 6:03 pm

First, I’ll make this the last response because it really isn’t a support forum and the fact it is (seemingly) proprietary program there isn’t anyway for us to debug it (and again: no support forum). Second, I didn’t write the article here. Third, the group would need execute permission (and keep in mind directory permissions too). Fourth, if it “is the user” then it is likely something else. There is a problem in the program somewhere and that is that (just like faulty RAM can make it seem like programs have bugs in it, so too can a program that is writing out of its address space. When you are corrupting memory what seems to be the case is not guaranteed to be true). Aside that I can only offer:
man chmod
man chown
man chdir
… read it, understand permissions (execute, read for both regular files and directories) and then you can continue (but not here). Again, you need to go to the person responsible for the crash and no-one here is. I’ll leave you one last bit of advice (or a point) from personal experience over many years: debugging is an art form. It isn’t a science… it is an art. And while you can master it you can get better and better but unless you have the background you won’t get far. The last bit applies elsewhere. That is why I refer you to the man pages to understand permissions. Correspond with the author of the program because that’s the only way to fix it. The discussion will not solve it and it is only littering the comments (and that is putting it nicely).

Good luck and sorry but that is all I can offer. I already went too far off the point of this article – I only really meant to explain what a segfault is so you could actually go forward (and nothing else). But it isn’t the setup in this article that is the problem (even if it seems like it to you).

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , ,

Previous Faq:

Next Faq: