Restrict standard users to run a command with a specific argument

Question

I know how to restrict standard users to run a command by removing execute permissions for that command. But it's possible restrict standard users to run a command with a specific option/argument?

For example a standard user should be able to run the following command:

ls

but not:

ls -l

I think that this can be possible since there are some commands like chsh or passwd which a standard user can run them, but he get permission denied when he runs chsh root or passwd -a -S.

Answer 1

I think the only way would be to write your own wrapper to the command/utility in question and have it decide what is allowed or not allowed based on the (E)UID of the user who started it. The tools you mention that do this such as chsh or passwd have this functionality built into their implementation.

How to write a wrapper for ls

#!/usr/bin/perl

use strict;
use warnings;

my $problematic_uid = 1000; # For example
my $is_problematic = $< == $problematic_uid;
unless(/ -l / ~~ @ARGV or $is_problematic){
    exec qq{/new/path/to/ls }.join '',@ARGV
}else{
    die "Sorry, you are not allowed to use the -l option to ls\n"
}

You need to ensure that the path to the original ls isn't in your user's PATH. Which is why I wrote /new/path/to/ls. The problem is, this wrapper requires that your user be able to execute the original ls so the user may still circumvent it by calling the original ls directly.

Answer 2

Commands like chsh and passwd are coded specially. They run with extra privileges (they're setuid) root) and contain their own authorization mechanism. Both check which user is invoking them, and allow non-root users only a subset of their functionality.

chsh and passwd are the exception. Most commands don't care who invokes them.

Forbidding users from running one particular command is pointless: they can do whatever that command does in some other way, such as by supplying their own executable.

You can make a restricted account that is only allowed to run a whitelisted set of commands: with a restricted shell, or for data-transfer-only accounts, rssh or scponly.

If you want to allow a user to run a certain command with elevated privileges (typically via sudo), but only for certain combinations of options, then write a wrapper script that checks the options and allow the user to run that wrapper script.

Answer 3

Rahul's answer is relevant to your question, because what you want is a) not a good idea and b) probably only possible by creating a custom shell. Executables like ls are separate, stand-alone programs that handle their arguments by themselves - if you'd want to prevent users from using ls -l, you would have to write and compile your own custom ls. As you can probably imagine, that would not be easy and it would also take a lot of time, because you have to do that for every single command that you want to change.

You could maybe try to replace the whole shell (in your case probably bash) completely with a different shell that filters the commands of your users. For example, it could try to remove the -l from ls command lines before actually calling ls. This isn't as easy as it sounds though, because shells and also the commands that you can run from a shell usually have a very powerful and complex syntax, and trying to filter that will probably leave holes and break stuff.

I think that this can be possible since there are some commands like chsh or passwd which a standard user can run them, but he get permission denied when he runs chsh root or passwd -a -S.

That's something else entirely, because these programs are written that way. If you'd want to change their behaviour just as you want to change the behaviour of ls, you would have to modify their source codes and recompile them.