Question: How to prevent a given user from being able to run a specific command.
This technique uses a filesystem access control list (ACL) to prevent unwanted access.
Caution: The sudo facility is not suitable for this purpose. In particular, “subtracting” an executable from the allowed ALL preset does not work as expected.
The example below prevents user john from creating any directories via the mkdir command. The steps are:
1. Find the absolute path to the command to be controlled:
# which mkdir /bin/mkdir
2. Display the current ACL for that program:
# getfacl /bin/mkdir # file: bin/mkdir # owner: root # group: root user::rwx group::r-x other::r-x
The user, group, and other entries correspond to the traditional file access permissions managed by the chmod command.
3. Add an access control rule for the user john:
# /bin/setfacl -m u:john:--- /bin/mkdir
4. View the updated access control:
# getfacl /bin/mkdir getfacl: Removing leading '/' from absolute path names # file: bin/mkdir # owner: root # group: root user::rwx user:john:--- group::r-x mask::rwx other::r-x
5. Test the setting:
# su - john $ mkdir -bash: /bin/mkdir: Permission denied
Consider adding an execution watch using the auditctl tool to augment this protection.