Allowing/denying apps per user linux

0

Is there a way, long if need be, to have a whitelist on linux mint for one or multiple groups/users of applications that they can be opened? Example: User 1 and User 2 can only open firefox whereas User 3 can open Firefox and libre office. Everything else is restricted to all users except for User 4, who can open and do what ever he wants.

rvcabc

Posted 2017-07-21T16:44:30.310

Reputation: 1

Answers

1

Classic way to control who can run a given executable foo is like this:

  1. With chown make foo executable belong to foo group.
  2. With chmod set the permissions so only the owner and the group can execute the file.
  3. Assign users to groups as you wish.

This is not a good solution if you need to do this for many (all?) executable files in your system. If you want to restrict a given user to a narrow set of possible commands then you should research the topic of restricted shell.

I have found bdsh. Looks promising (although I have never used it myself):

bdsh is a shell where you whitelist commands and only those commands can be executed.

Some other (newer?) similar solutions may exist.

EDIT: also read How to limit user commands in Linux on Stack Overflow.

Kamil Maciorowski

Posted 2017-07-21T16:44:30.310

Reputation: 38 429

would that allow them to only open firefox? I understand chmod but chown is a little more confusing to me. – rvcabc – 2017-07-21T17:01:34.480

Sorry. I've been working on this for months and words are getting mixed up in my head. I need to make an account that can only access a specific program. Everything else need to be blocked. I'm setting up a small school system at my job. I need every computer to connect to a DC, however I don't want them bypassing that by just using the linux computer's programs. If that makes sense – rvcabc – 2017-07-21T17:10:18.767

@rvcabc What do you mean: "DC"? I want to be sure there's no XY problem here.

– Kamil Maciorowski – 2017-07-21T17:30:26.590

That sounds about right. By DC I mean domain controller. – rvcabc – 2017-07-21T17:34:32.183

@rvcabc Well, my answer may not be the best possible. I think you should edit your question and place all these explanation there. They really helped me to understand your problem better. Other users should see them in the question body, they won't read all the comments. After you do this, you may delete your comments here. – Kamil Maciorowski – 2017-07-21T17:40:03.943

@rvcabc I added a link to another question, check it out. – Kamil Maciorowski – 2017-07-21T17:50:09.213

0

Not tested but possible solution:

  1. remove the 'executable' bit for general users on /usr/bin (and maybe some others)(this prevents them to read anything in /usr/bin)
  2. create a directory with hardlinks to the authorized apps in /usr/bin
  3. set their PATH to point to it

xenoid

Posted 2017-07-21T16:44:30.310

Reputation: 7 552

Asked: 2017-07-21T16:44:30.310

Viewed: 90 times

Active: 2017-07-21T17:48:48.103