You need to use traditional Unix groups concept to enhance security including restricted access to a given command.
Step # 1: Create and Maintain a Group For All Authorized Users
Create a group named appsonly:# groupadd appsonly
Add all authorized users to appsonly:# usermod -aG {groupName} {userName}
# usermod -aG appsonly tom
# usermod -aG appsonly jerry
# id jerry
Where,
- -a : Add the user to the supplemental group(s) i.e. appends the user to the current supplementary group list.
- -G : A list of supplementary groups which the user is also a member of.
Step #2: Restrict Access
Now a group of user had been created. Next, use the chgrp command to change the group of /opt/apps/start to appsonly group:# chgrp {groupName} {/path/to/command}
# chgrp appsonly /opt/apps/start
Disable the file permission for others
Finally, use the chmod command to change file permission as follows:# chmod 750 /path/to/command
# chmod 750 /opt/apps/start
You can also apply permissions to directory (this will disable ls command access to others) :# chgrp appsonly /opt/apps
# chmod 0640 /opt/apps
Step # 3: Test It
su to tom, enter:# su - tom
$ id
$ /opt/apps/start
$ exit
su to vivek (not a member of appsonly group), enter:# su - vivek
$ id
$ /opt/apps/start
Sample outputs:
bash: /opt/apps/start: Permission denied
A Note About ACL and SELinux
The access control policies which can be enforced by chmod, chgrp, and usermod commands are limited, and configuring SELinux and fille system ACLs (access control list) is a better and recommend option for large deployments.