In the previous article, we learned how to run commands in a directory as root via sudo. In this guide, we will see how to prevent command arguments with sudo in Linux. Meaning - we allow an user to run commands with sudo, but without command arguments.
As you know already, each command has different options to perform a specific action. Let us take "
ls" command as an example.
ls command is used to list directory contents, right? Yes. The ls command ships with many command-line options and flags. For instance, you can use
-a flag with
ls command to list all contents(i.e. including the hidden files) in a directory.
In this brief tutorial, we will see how to allow an user to run
ls command via sudo, but only without the command line options or flags. Understood? Let me show you how to do it in the following sections.
Prevent Command Arguments With Sudo
/etc/sudoers file as
[root@Almalinux8CT ~]# visudo
Add the following line:
user1 ALL=(root) /usr/bin/ls ""
Notice the double quotes at the end of the
ls command in the above line. The double quotes prohibit the user from using the arguments of the given command (i.e.
ls command). As per the above line, the user1 can run the
ls command as
root, but can't use the
ls command's options/flags. You can use some other command of your choice. Save the file and close it.
Now, log out from the root session and login as user1 and try to run
ls command with any options as root via sudo from user1 session:
[user1@Almalinux8CT ~]$ sudo -u root ls -a
You will encounter with the following error:
Sorry, user user1 is not allowed to execute '/bin/ls -a' as root on Almalinux8CT.
You can, however, run
ls command without its arguments:
[user1@Almalinux8CT ~]$ sudo -u root ls
Prohibit Command Arguments With Sudo For All Users
The above example showed you how to deny an user to execute a command with its arguments as
root user. What if you want to apply this rule to all users? Simple! Just add the following line in the
ALL ALL=(root) /usr/bin/ls ""
Now all users in your Linux machine can't run
ls command with its flags.
To revert back to the default setting, just remove the command along with the double quotes. Or, remove the whole line.
For more details, refer the man pages.
$ man sudoers
In this guide, we learned how to allow an user to run a command using sudo, but prevent them from adding any arguments to the command. This way we can restrict the users from misusing any commandline arguments.