Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Restrict a user from Executing particular command
Top Forums UNIX for Dummies Questions & Answers Restrict a user from Executing particular command Post 302962174 by bakunin on Wednesday 9th of December 2015 11:06:00 AM
Old 12-09-2015
The others who answered you before already hinted at that, but to make it as explicit as paossible:

Security is not about first allowing everything and then disallowing something specific. It is the other way round: forbid everything, carefully identify what has to be allowed and then allow exeactly that (and not more).

If you have a house it is a bad idea to first tear down every wall and then put a locked door to block a tenth of the western side. It is better to have walls all around and then put a door exactly at where visitors need to come in.

Sudo rules like the one you described are flawed in such a way they are irredeemable. It would be a good idea to identify the users real needs (not "i don't want to be slowed down by these pesky 'you are not allowed to...'-messages", but real, legitimate and arguable needs) and put that into sudo-rules.

Perhaps, if the account has only the groups it needs to have, only the rights it needs to have and only the access it needs to have, then the problem of forbidding it some "rm"-command might be already gone because the account cannot delete a file or directory it doesn't have write-access to.

And, honestly: if a user is irresponsible enough to issue rm-commands where they are harmful - do you really trust him enough to allow him the other powers that come with a sudo-rule like the above? Off the top of my head i know 10 methods to delete the file effectively without using rm at all:

Code:
cat /foo/bar > targetfile
cp /foo/bar targetfile
> targetfile
mv /foo/bar targetfile
mv targetfile /dev/null
sed '1q' targetfile > targetfile
[...]

All these commands will either reduce the file targetfile to length 0, overwrite it with meaningless information from /foo/bar (replace that with the name of any file containing nothing usable) or otherwise destroy what is in the file. You might end up with a file but all the information it held is gone. I hardly can see any improvement over the "its-gone-completely-because-of-rm"-situation.

I hope this helps.

bakunin
 

10 More Discussions You Might Find Interesting

1. Solaris

restrict a user to certain command

Hi all, I am using Sun OS 5.10. I am new to Unix. Is there some way to restrict a specific user to certain command say "/usr/bin/more" ?? for example: I want that user1 can execute more command & user2 can't. Can we somehow edit .profile file in the home directory of user to achieve... (1 Reply)
Discussion started by: vikas027
1 Replies

2. Solaris

How to restrict the perticular command to user

Hi all, I want to restrict the perticular command to user. ex: CD, CP, mv etc ., "A" user cannot user CD, CP, mv commands from his home directory. so please let me know the procedure how to restrict the commands access to user "A". I really thankfull to all.... (3 Replies)
Discussion started by: murthy76
3 Replies

3. AIX

New user and restrict path

Hello I have a question in Aix 5.3 can I create a user, that only can see a specify path. I mean the user log in the default path its /home/newuser he type cd the path that need to check /example/directory_check but if he wants to go to / or any other path. we can not do this. I only... (1 Reply)
Discussion started by: lo-lp-kl
1 Replies

4. UNIX for Dummies Questions & Answers

Restrict command for an user ?

Hi everyone ! I got "viewer" and "root" user on a *nix computer. When i log in using "viewer" I only can use "df" command. When I try another command like "ls" it say : -bash: ls: command not found I checked permission of "/bin/ls" file, it has excute permission for everyone. Inside home... (4 Replies)
Discussion started by: camus
4 Replies

5. Red Hat

Restrict user to a particular directory

Hi I have a Fedora10 server and i need a particular user to view files only in a particular folder. All other files in other folders having "read" permission for all shouldn't be accessible to this user. Please let me know if ther's a way. Thanks, HG (5 Replies)
Discussion started by: Hari_Ganesh
5 Replies

6. UNIX for Dummies Questions & Answers

Restrict user access.

Hi All, How can we restrict a particular user access to a particular shell in solaris 10. Thanks in Advance. (5 Replies)
Discussion started by: rama krishna
5 Replies

7. Red Hat

Restrict user access

Hi there I have an application user on my system that wants accesses to these file systems as such: rwx: /SAPO /SAPS12 /R3_888 /R3_888B /R3_888F /R3_888R r: /usr/sap these are the existing FS permissions:ownerships: # ls -ld /SAPO (9 Replies)
Discussion started by: hedkandi
9 Replies

8. AIX

How to restrict user to a particular directory?

hi, I want to restrict some user access to only 1 directory (including all sub-directories/files in it). can you please explain me, how can we do this? example; Filesystem GB blocks Used Free %Used Mounted on /dev/hd4 2.61 1.02 1.59 40% / /dev/hd2 ... (7 Replies)
Discussion started by: aaron8667
7 Replies

9. Solaris

How to find IP of user machine executing a particular UNIX command?

Hello, Our applications are deployed in SunOS 5.10 servers. All the team members use a same username/pwd to login to the box. Very often we face issue were we could see that weblogic server instance are KILLED and we are not able to trace who executed kill command. All team members use PUTTY to... (2 Replies)
Discussion started by: santtarius
2 Replies

10. HP-UX

Restrict ssh for particular user

Dear Concern, We want to restrict ssh for particular user "oracle". Our HP UX version is as below. Please advise. # uname -a HP-UX tabsdb02 B.11.31 U ia64 2963363594 unlimited-user license (2 Replies)
Discussion started by: makauser
2 Replies

LEARN ABOUT CENTOS

libtalloc_stealing

libtalloc_stealing(3)						      talloc						     libtalloc_stealing(3)

NAME

       libtalloc_stealing - Chapter 2: Stealing a context

Stealing a context
       Talloc has the ability to change the parent of a talloc context to another one. This operation is commonly referred to as stealing and it
       is one of the most important actions performed with talloc contexts.

       Stealing a context is necessary if we want the pointer to outlive the context it is created on. This has many possible use cases, for
       instance stealing a result of a database search to an in-memory cache context, changing the parent of a field of a generic structure to a
       more specific one or vice-versa. The most common scenario, at least in Samba, is to steal output data from a function-specific context to
       the output context given as an argument of that function.

       struct foo {
	   char *a1;
	   char *a2;
	   char *a3;
       };

       struct bar {
	   char *wurst;
	   struct foo *foo;
       };

       struct foo *foo = talloc_zero(ctx, struct foo);
       foo->a1 = talloc_strdup(foo, "a1");
       foo->a2 = talloc_strdup(foo, "a2");
       foo->a3 = talloc_strdup(foo, "a3");

       struct bar *bar = talloc_zero(NULL, struct bar);
       /* change parent of foo from ctx to bar */
       bar->foo = talloc_steal(bar, foo);

       /* or do the same but assign foo = NULL */
       bar->foo = talloc_move(bar, &foo);

       The talloc_move() function is similar to the talloc_steal() function but additionally sets the source pointer to NULL.

       In general, the source pointer itself is not changed (it only replaces the parent in the meta data). But the common usage is that the
       result is assigned to another variable, thus further accessing the pointer from the original variable should be avoided unless it is
       necessary. In this case talloc_move() is the preferred way of stealing a context. Additionally sets the source pointer to NULL,
       thus.protects the pointer from being accidentally freed and accessed using the old variable after its parent has been changed.

Version 2.0							  Tue Jun 17 2014					     libtalloc_stealing(3)
All times are GMT -4. The time now is 11:35 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy