Say there is a set of shell commands {ls, cat, kill}
I want to enable users in group A to be able to execute the commands {ls, cat} And users in group B to be able to execute the commands {cat, kill}
How to do that, what are the best approaches ?
I thought about some solutions, but they don't seem 100% secured.
One of the way to restrict the possibility to execute commands is the restricted shell.
Excerpt from the manual, where is said that the following are disallowed or not performed:
Changing directories with the cd builtin.
Setting or unsetting the values of the SHELL, PATH, ENV, or BASH_ENV variables.
Specifying command names containing slashes.
Specifying a filename containing a slash as an argument to the . builtin command.
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.
Importing function definitions from the shell environment at startup.
Parsing the value of SHELLOPTS from the shell environment at startup.
Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
Using the exec builtin to replace the shell with another command.
Adding or deleting builtin commands with the -f and -d options to the enable builtin.
Using the enable builtin command to enable disabled shell builtins.
Specifying the -p option to the command builtin.
Turning off restricted mode with ‘set +r’ or ‘set +o restricted’.
After that you can add link to the command you desire they can execute.
Maybe another path to your goal should be through the use of sudo.
In your case you can edit sudoers file (with visudo) and obtain something similar to:
User_Alias USERS_GROUP_A = joe, mike, cedric
User_Alias USERS_GROUP_B = jude, zoe, cedric
Cmnd_Alias COMMANDS_GROUP_A = /bin/ls, /bin/cat, /usr/bin/zip
Cmnd_Alias COMMANDS_GROUP_B = /bin/kill, /bin/cat, /usr/bin/zip
USERS_GROUP_A ALL= COMMANDS_GROUP_A
USERS_GROUP_B ALL= COMMANDS_GROUP_B
# users of the group USERS_GROUP_A may run /bin/ls, /bin/cat, and /usr/bin/zip
# from any machine (ALL).
# users of the group USERS_GROUP_B may run /bin/kill,/bin/cat and /usr/bin/zip
# from any machine (ALL).
Notes:
kill is a shell builtin command (check it with type kill). If you enable users to have a shell I'm afraid you will not find a way to avoid them the use of kill (unless you modify the source code of the shell in a proper way and you recompile it...).If the commands that you want to close for those users are with read and execution attribute set for all (e.g. ls -l /usr/bin/zip)
-rwxr-xr-x 1 root root 188296 Oct 21 2013 /usr/bin/zip
maybe you can use a workaround, restricting the execution attribute to only owner and his group sudo chattr o-x /usr/bin/zip,
-rwxr-xr-- 1 root root 188296 Oct 21 2013 /usr/bin/zip
adding a new user (e.g. cooluser) to that group (maybe with /usr/sbin/nologin as shell), and writing the following 2 lines instead the corresponding above:
USERS_GROUP_A ALL=(cooluser) NOPASSWD: COMMANDS_GROUP_A
USERS_GROUP_B ALL=(cooluser) NOPASSWD: COMMANDS_GROUP_B
# users of the USERS_GROUP_A may run /bin/ls, /bin/cat and /usr/bin/zip
# as the user cooluser from any machine (ALL).
# users of the USERS_GROUP_B may run /bin/kill,/bin/cat and /usr/bin/zip
# as the user cooluser from any machine (ALL).
The keyword NOPASSWD: is to avoid the request of the password.
Your users can execute the commands with
sudo -u cooluser /usr/bin/zip
Side effect: other users will be not able to run that command until you will not include them in the group of the owner of the file... and if it is root should be not so safe...
References:
killis a shell builtin command (check it withtype kill). If you enable users to have ashellI'm afraid you will not find a way to avoid them the use ofkill(unless you modify the source code of theshellin a proper way and you recompile it...). Different is instead if you want to pre-empt the use of/bin/kill...