In the previous article, we learned how to run commands in a directory as root via sudo. In this guide, we will see how to prevent command arguments with sudo in Linux. Meaning - we allow an user to run commands with sudo, but without command arguments.
Table of Contents
Introduction
As you know already, each command has different options to perform a specific action. Let us take "ls
" command as an example.
The ls
command is used to list directory contents, right? Yes. The ls command ships with many command-line options and flags. For instance, you can use -a
flag with ls
command to list all contents(i.e. including the hidden files) in a directory.
In this brief tutorial, we will see how to allow an user to run ls
command via sudo, but only without the command line options or flags. Understood? Let me show you how to do it in the following sections.
Prevent Command Arguments With Sudo
Edit /etc/sudoers
file as root
user:
[root@Almalinux8CT ~]# visudo
Add the following line:
user1 ALL=(root) /usr/bin/ls ""
Notice the double quotes at the end of the ls
command in the above line. The double quotes prohibit the user from using the arguments of the given command (i.e. ls
command). As per the above line, the user1 can run the ls
command as root
, but can't use the ls
command's options/flags. You can use some other command of your choice. Save the file and close it.
Now, log out from the root session and login as user1 and try to run ls
command with any options as root via sudo from user1 session:
[user1@Almalinux8CT ~]$ sudo -u root ls -a
You will encounter with the following error:
Sorry, user user1 is not allowed to execute '/bin/ls -a' as root on Almalinux8CT.
You can, however, run ls
command without its arguments:
[user1@Almalinux8CT ~]$ sudo -u root ls
Prohibit Command Arguments With Sudo For All Users
The above example showed you how to deny an user to execute a command with its arguments as root
user. What if you want to apply this rule to all users? Simple! Just add the following line in the /etc/sudoers
file:
ALL ALL=(root) /usr/bin/ls ""
Now all users in your Linux machine can't run ls
command with its flags.
To revert back to the default setting, just remove the command along with the double quotes. Or, remove the whole line.
For more details, refer the man pages.
$ man sudoers
Conclusion
In this guide, we learned how to allow an user to run a command using sudo, but prevent them from adding any arguments to the command. This way we can restrict the users from misusing any commandline arguments.