Prevent a list of Users from executing a file
There are many scenarios where you'd not want a User or Users to execute a specific file.
For example, wget or perl might be binaries that you'd not want Users to run.
In this example, we'll discuss how to use group permissions to prevent a group of Users from executing the file:
- First, we need to create a group that will be filled with Users. Let's call this group :
- Next, we'll assign this group to the perl binary, and set it's permissions such that no User in the noperl group can execute it:
chgrp noperl /usr/bin/perlwhere using the permissions, the 0 portion specifies that the group on this file cannot do anything on it (can't read it, can't write to it, and cannot execute it)
chmod 705 /usr/bin/perl
- Lastly, add any Users to this group who should not be allowed to execute perl:
usermod -a -G noperl apachewhere apache, fred, and george cannot run /usr/bin/perl.
usermod -a -G noperl fred
usermod -a -G noperl george
This guide can be applied to other binaries as needed, but make sure that you don't block any Users which actually need to use the given binary.
- If you want to automate the adding of newly created Users to this group, create the file:
/usr/local/directadmin/scripts/custom/user_create_post.shand add the code
#!/bin/shand chmod the script to 755.
/usr/sbin/usermod -a -G noperl $username 2>&1