LabEx
Log InJoin Free

How to restrict commands?

QuestionsQuestions8 SkillsProLinux User Group and File PermissionsNov, 20 2025
078

To restrict commands for users in Linux using sudo, you can specify which commands a user or group is allowed to execute in the /etc/sudoers file. This allows for fine-grained control over what actions users can perform with elevated privileges. Here’s how to do it:

Steps to Restrict Commands

  1. Open the Terminal: Access your terminal application.

  2. Edit the Sudoers File with visudo:

    • Always use visudo to edit the sudoers file to prevent syntax errors.
    • Run the following command:
    sudo visudo

  3. Specify User or Group:

    • You can restrict commands for a specific user or a group. The syntax is as follows:
    user    ALL=(ALL:ALL) /path/to/command

    or for a group:

    %groupname  ALL=(ALL:ALL) /path/to/command

  4. Example of Restricting Commands:

    • To allow a user named jack to only run the apt command, you would add:
    jack    ALL=(ALL:ALL) /usr/bin/apt
    • To allow a group named developers to run only the git command, you would add:
    %developers  ALL=(ALL:ALL) /usr/bin/git

  5. Multiple Commands:

    • If you want to allow multiple commands, you can separate them with commas:
    jack    ALL=(ALL:ALL) /usr/bin/apt, /usr/bin/systemctl

  6. Restricting All Commands:

    • If you want to deny a user or group from using sudo entirely, you can add:
    jack    ALL=(ALL:ALL) NOPASSWD: ALL
    • This will allow jack to run any command without a password, but you can specify commands as shown above to restrict further.

  7. Saving Changes:

    • After making your changes, save and exit the editor. In visudo, this is typically done by pressing Ctrl + X, then Y to confirm changes, and Enter.

  8. Testing the Configuration:

    • After editing, test the configuration by switching to the user and attempting to run the allowed and restricted commands:
    sudo apt update
sudo ls /root
    • The first command should succeed, while the second should fail if restricted correctly.

Important Notes

  • Syntax Errors: Always use visudo to avoid syntax errors that could lock you out of sudo access.

  • Backup: Consider backing up the sudoers file before making changes:

    sudo cp /etc/sudoers /etc/sudoers.bak

  • Documentation: For more complex configurations, refer to the sudoers manual by running man sudoers in the terminal.

Conclusion

By restricting commands in the sudoers file, you can enhance security and control over what users can do with elevated privileges. If you have any further questions or need clarification on specific configurations, feel free to ask!

0 Comments

no data
Be the first to share your comment!