Linux / UNIX: Restrict Access To A Given Command
You need to use traditional Unix groups concept to enhance security including restricted access to a given command.
Step # 1: Create and Maintain a Group For All Authorized Users
Create a group named appsonly:# groupadd appsonly
Add all authorized users to appsonly:
# usermod -aG {groupName} {userName}
# usermod -aG appsonly tom
# usermod -aG appsonly jerry
# id jerry
Where,
- -a : Add the user to the supplemental group(s) i.e. appends the user to the current supplementary group list.
- -G : A list of supplementary groups which the user is also a member of.
Step #2: Restrict Access
Now a group of user had been created. Next, use the chgrp command to change the group of /opt/apps/start to appsonly group:# chgrp {groupName} {/path/to/command}
# chgrp appsonly /opt/apps/start
Disable the file permission for others
Finally, use the chmod command to change file permission as follows:# chmod 750 /path/to/command
# chmod 750 /opt/apps/start
You can also apply permissions to directory (this will disable ls command access to others) :
# chgrp appsonly /opt/apps
# chmod 0640 /opt/apps
Step # 3: Test It
su to tom, enter:# su - tom
$ id
$ /opt/apps/start
$ exit
su to vivek (not a member of appsonly group), enter:
# su - vivek
$ id
$ /opt/apps/start
Sample outputs:
bash: /opt/apps/start: Permission denied
No comments:
Post a Comment