Is it possible to forbid a specific user from executing files on /usr/bin without changing all files permission to 750?
Use ACLs to remove the permissions. In this case, you don't need to modify the permissions of all the executables; just remove the execute permission from /usr/bin/
to disallow traversal of that directory and therefore access of any files within.
setfacl -m u:guest:r /usr/bin
This sets the permissions of u
ser guest
to just r
ead for the directory /usr/bin
, so they can ls
that directory but not access anything within.
You could also just remove all permissions:
setfacl -m u:guest:- /usr/bin
What are you trying to do? Forbidding use of the system's standard commands to some user is just incivil behavior in the extreme... commands that could put the system in jeopardy are far in between, and have been carefully vetted for security. The permissions on files should stop most attempts at mischief.
- Consider giving them a restricted shell (check the manuals, it is probably named something like
rbash
; careful though,rsh
is a different kind of animal!). They cage the user rather effectively (but watch out, it is possible to break out!) - If this is a pseudo-user in charge of owning some service, the common way out is to give the "user" a shell that does nothing, like
/bin/true
(check your system's manual for any recommendations in this line, there might be a special program for this; if/bin/true
is a shell script don't use it for this). That way, if somebody manages to log in to that account, their session finishes immediately. - Create a
chroot
for them (again, there are ways to break out), or use Linux' containers of BSD's jails to confine them, and just expose exactly what you want them to see. Most control, but messy to set up and keep up to date.