Hi,


How can we deny a user or all the users, of course other than the root, from executing certain commands such as:

?

Do we need to enter some lines in /etc/sudoers
by issuing the command visudo?

I didn't find any hint in that file.


Any ideas?


Foolish Assumptions:

You are not going to express any ethics here.

You have understood what the objective is and are going to show how to achieve it.

I don't have time for restricting users from listing a directory contents or issuing nice. They are examples only.

Thanks!

Hello,

Yes you can use sudoers (edited by using visudo by preference) to prohibit use of certain commands by users if your sudoers is setup correctly. From the man page for sudoers:
Hope that helps.

Kind regards,

Eric

Do note that adding the rules to sudoers will still allow the user to run the command without 'sudo'.

You can change allowed nice values in /etc/security, and I don't think it's a very good idea to disallow the user to list files in /.

Why would you want to limit 'nice'?

Non-root users can only make processes 'nicer' They can't make a command any less-nice. The same goes for the renice command to modify the priority of an existing process.
Remeber under unix you can do most things in MANY different ways. Limiting one command many not limit all such methods.

As for ls -R / Why do you want to limit that. Anything they should not be able to list should have appropriate restrictions already (like appropriate directory read, or access).

The point of the unix system, is that it already has appropriate restrictions against users that are detremental to the system.

sudo on the other hand is not ment to limit users, but give specific users access to specific commands they normall do not have access to, especially as specific users (like root) they normally can't run commands as. For example a command to load a specific kernel driver, or say an cryptfs file system, which ordinary users can not do.


If you are wanting to restrict users from NORMAL commands, doing so one command at a time would be useless. You would want to limit ALL commands and only open up specific ones. That is the function of the restricted shell!

And is the right way to limit users, like guest accounts.

The other way is only let them use a special interface, for example for uploading web files to ther account. In which case the user does not even get a 'shell' at all.

So the question comes down to.... What do you REALLY want? Rather than your how to do question...

Hi Eric!


Thanks for the hint!

Thanks for the note!


Neither do I. That was only an example.

Thanks for your time and energy you wasted upon writing all those stuffs. Please do read my question again. To save your time this time, read this note:

Before flying a real aircraft, the students are given artificial aircrafts to simulate flying. We do not need to ask them why they are crashing or saving their artificial aircrafts.

Restricting ls -R / or nice -19 someCommand is not my objective. They are examples. I am not going to restrict a thousand users from listing a directory contents or displaying their system date or whatever normal operations they perform on their UNIX / Linux System.

When we say touch fileName we do not mean that a learner is going to name the file "fileName" instead of using his/her own common sense. That is just an example!

Similarly when we say:

rm -f /*

we just want to say that all the files in the named partition would be gone!

But do we need to care about the ethics behind executing the command? Possibly one would know what that command does and how to use it for one's own purpose. That's it.

Alright, if I'm reading this correctly, you want some sort of shell (or desktop, whatever) that a user can play around in without ruining your computer.

This is a rather tough question to answer, since you can't just restrict commands.

However, if I'm reading this correctly, I think you want a chroot jail. You'd be able to lock a user to a directory which includes 'his own little OS', where you decide what he can/cannot do (restricting commands is one of them), but also, if he actually ruins hes OS (rm -rf /), you'll be able to quickly and easily restore it.

You can also script it even further so that when the user logs off, the chroot is automatically restored to default.

1 members found this post helpful.

Ehm... sorry but... Why not just... using UNIX standart permissions? You know like
on the commands you like ?

It's not that easy. First of all, disallowing the user to run the command "echo" - for example, can break scripts which are completly valid. Second of all, a user could create a simple script or program which does the exact same thing as "echo", and be able to run it. And thirdly, you'd have to deny the user read writes as well, not just execute.

That way I will need to keep a record of commands whose default permissions I have changed.