Home Linux Security How To Prevent Command Arguments With Sudo In Linux

How To Prevent Command Arguments With Sudo In Linux

Allow an user to run commands with sudo, but without command arguments.

By sk
1.7K views

In the previous article, we learned how to run commands in a directory as root via sudo. In this guide, we will see how to prevent command arguments with sudo in Linux. Meaning - we allow an user to run commands with sudo, but without command arguments.

Introduction

As you know already, each command has different options to perform a specific action. Let us take "ls" command as an example.

The ls command is used to list directory contents, right? Yes. The ls command ships with many command-line options and flags. For instance, you can use -a flag with ls command to list all contents(i.e. including the hidden files) in a directory.

In this brief tutorial, we will see how to allow an user to run ls command via sudo, but only without the command line options or flags. Understood? Let me show you how to do it in the following sections.

Prevent Command Arguments With Sudo

Edit /etc/sudoers file as root user:

[root@Almalinux8CT ~]# visudo

Add the following line:

user1   ALL=(root)      /usr/bin/ls ""
Deny Command Arguments With Sudo
Deny Command Arguments With Sudo

Notice the double quotes at the end of the ls command in the above line. The double quotes prohibit the user from using the arguments of the given command (i.e. ls command). As per the above line, the user1 can run the ls command as root, but can't use the ls command's options/flags. You can use some other command of your choice. Save the file and close it.

Now, log out from the root session and login as user1 and try to run ls command with any options as root via sudo from user1 session:

[user1@Almalinux8CT ~]$ sudo -u root ls -a

You will encounter with the following error:

Sorry, user user1 is not allowed to execute '/bin/ls -a' as root on Almalinux8CT.

You can, however, run ls command without its arguments:

[user1@Almalinux8CT ~]$ sudo -u root ls
Prevent Command Arguments With Sudo
Prevent Command Arguments With Sudo

Prohibit Command Arguments With Sudo For All Users

The above example showed you how to deny an user to execute a command with its arguments as root user. What if you want to apply this rule to all users? Simple! Just add the following line in the /etc/sudoers file:

ALL   ALL=(root)      /usr/bin/ls ""

Now all users in your Linux machine can't run ls command with its flags.

To revert back to the default setting, just remove the command along with the double quotes. Or, remove the whole line.

For more details, refer the man pages.

$ man sudoers

Conclusion

In this guide, we learned how to allow an user to run a command using sudo, but prevent them from adding any arguments to the command. This way we can restrict the users from misusing any commandline arguments.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More