2

What user and group should I chown it to? All admins are in 'admins' group. How do I chmod it?

  • 2
    Why do you want to do that? Security doesn't come from making commands non-executable, it comes from the kernel preventing commands not running as root to do certain things. For example, if you want to prevent users from seeing each other's processes, preventing them from running ps is useless (ps is just a friendly formatter for information in /proc). What you need is to make the information restricted in the first place. – Gilles 'SO- stop being evil' Apr 23 '11 at 12:30

2 Answers2

1

Most likely you just need to remove the world-executable permission:

sudo chmod o-x $(which command)

If the binary is owned by some group other than root, you probably want to set that to:

sudo chgrp root $(which command)
Caleb
  • 70,105
  • Is there a way to have a user get 'bash: blah: command not found' instead of 'bash: /usr/bin/blah: Permission denied'? @Caleb –  Apr 23 '11 at 11:42
  • 2
    Not unless you move the command from the users $PATH and into something that is only in admin users $PATH. Generally it is a bad idea to move executable from their system installed defaults. You can do it, but think twice because you are going to make a real admin mess for yourself or somebody else down the road. – Caleb Apr 23 '11 at 11:58
  • 1
    @G26: Put in in /usr/local/sbin rather than /usr/local/bin. (If it was a standard system command in /usr/bin or /bin, you shouldn't do anything to it. – Gilles 'SO- stop being evil' Apr 23 '11 at 12:29
1

If it's a command from a Debian package, and not setuid, there's nothing you can do to prevent them from downloading the package, extracting the command and running it. If you shut down all the tools to download programs from the net, they can copy or write code to do the same thing. Ultimately, you need a very restricted interface, or you need to get the kernel to treat what you want not done as something only root can do.

prosfilaes
  • 111