LabEx
Log InJoin Free

How to restrict specific commands?

QuestionsQuestions8 SkillsProLinux User Group and File PermissionsNov, 20 2025
088

To restrict specific commands for users in Linux using sudo, you can define which commands a user or group is allowed to execute in the /etc/sudoers file. This allows you to control access to sensitive commands while still granting necessary privileges. Here’s how to do it:

Steps to Restrict Specific Commands

  1. Open the Terminal: Access your terminal application.

  2. Edit the Sudoers File with visudo:

    • Always use visudo to edit the sudoers file to prevent syntax errors.
    • Run the following command:
    sudo visudo

  3. Specify User or Group:

    • You can restrict commands for a specific user or a group. The syntax is as follows:
    user    ALL=(ALL:ALL) /path/to/allowed_command

    or for a group:

    %groupname  ALL=(ALL:ALL) /path/to/allowed_command

  4. Example of Restricting Specific Commands:

    • To allow a user named jack to run only the apt command and restrict all others, you would add:
    jack    ALL=(ALL:ALL) /usr/bin/apt
    • If you want to allow jack to run apt and systemctl, but restrict everything else, you can specify:
    jack    ALL=(ALL:ALL) /usr/bin/apt, /usr/bin/systemctl

  5. Denying Specific Commands:

    • To deny specific commands while allowing others, you can use the NOPASSWD directive for allowed commands and simply not include the restricted commands. For example, if you want to allow jack to run apt but deny shutdown, you would not include shutdown in the allowed commands:
    jack    ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt
    • If shutdown is not listed, jack will not be able to execute it with sudo.

  6. Saving Changes:

    • After making your changes, save and exit the editor. In visudo, this is typically done by pressing Ctrl + X, then Y to confirm changes, and Enter.

  7. Testing the Configuration:

    • After editing, test the configuration by switching to the user and attempting to run the allowed and restricted commands:
    sudo apt update
sudo shutdown now
    • The first command should succeed, while the second should fail if restricted correctly.

Important Notes

  • Syntax Errors: Always use visudo to avoid syntax errors that could lock you out of sudo access.

  • Backup: Consider backing up the sudoers file before making changes:

    sudo cp /etc/sudoers /etc/sudoers.bak

  • Documentation: For more complex configurations, refer to the sudoers manual by running man sudoers in the terminal.

Conclusion

By restricting specific commands in the sudoers file, you can enhance security and control over what users can do with elevated privileges. If you have any further questions or need clarification on specific configurations, feel free to ask!

0 Comments

no data
Be the first to share your comment!