Add to Favourites Add to Favourites    Print this Article Print this Article

Prevent a list of Users from executing a file

There are many scenarios where you'd not want a User or Users to execute a specific file.
For example, wget or perl might be binaries that you'd not want Users to run.

In this example, we'll discuss how to use group permissions to prevent a group of Users from executing the file:

  1. First, we need to create a group that will be filled with Users.  Let's call this group :

    groupadd noperl

  2. Next, we'll assign this group to the perl binary, and set it's permissions such that no User in the noperl group can execute it:

    chgrp noperl /usr/bin/perl
    chmod 705 /usr/bin/perl

    where using the permissions, the 0 portion specifies that the group on this file cannot do anything on it (can't read it, can't write to it, and cannot execute it)

  3. Lastly, add any Users to this group who should not be allowed to execute perl:

    usermod -a -G noperl apache
    usermod -a -G noperl fred
    usermod -a -G noperl george

    where apache, fred, and george cannot run /usr/bin/perl.

This guide can be applied to other binaries as needed, but make sure that you don't block any Users which actually need to use the given binary.

  1. If you want to automate the adding of newly created Users to this group, create the file:


    and add the code

    /usr/sbin/usermod -a -G noperl $username 2>&1
    exit $RET

    and chmod the script to 755.

Was this answer helpful?

Also Read