Is it possible to forbid a specific user from executing files on /usr/bin without changing all files permission to 750?

Question

I understand the concept of managing permissions on Linux with chmod using the first digit as the user, the second as the group and the third as other users as described on this answer in Understanding UNIX permissions and file types.

Let's say I have a Linux system with 5 users: admin, usera, userb, userc and guest. By default, the users usera, userb and userc will have execution permission on all files inside /usr/bin, so these users can use the command line of the system executing the files in there as those files have 755 permission. So far it's completely ok. However, I'd like to forbid the user guest from executing files on the folder /usr/bin, I know I could achieve that by changing the permission of all files inside this folder to something like 750 with chmod, but if I do that I'll mess up the permissions of the users usera, userb and userc because they will be also forbidden to execute files.

On my computer, all the files in /usr/bin belong to the group root, so I know I could create a newgroup, change the group of all those files to it and add usera, userb and userc to newgroup. But doing that sounds like way too much modification on the system's default settings. Does anyone know a smarter way of solving this problem?

How can I forbid a single user from using the command line (or executing any file on PATH) without an overcomplicated solution that requires changing the permissions of too many files?

Answer 1

Use ACLs to remove the permissions. In this case, you don't need to modify the permissions of all the executables; just remove the execute permission from /usr/bin/ to disallow traversal of that directory and therefore access of any files within.

setfacl -m u:guest:r /usr/bin

This sets the permissions of user guest to just read for the directory /usr/bin, so they can ls that directory but not access anything within.

You could also just remove all permissions:

setfacl -m u:guest:- /usr/bin

Answer 2

What are you trying to do? Forbidding use of the system's standard commands to some user is just incivil behavior in the extreme... commands that could put the system in jeopardy are far in between, and have been carefully vetted for security. The permissions on files should stop most attempts at mischief.

• Consider giving them a restricted shell (check the manuals, it is probably named something like rbash; careful though, rsh is a different kind of animal!). They cage the user rather effectively (but watch out, it is possible to break out!)
• If this is a pseudo-user in charge of owning some service, the common way out is to give the "user" a shell that does nothing, like /bin/true (check your system's manual for any recommendations in this line, there might be a special program for this; if /bin/true is a shell script don't use it for this). That way, if somebody manages to log in to that account, their session finishes immediately.
• Create a chrootfor them (again, there are ways to break out), or use Linux' containers of BSD's jails to confine them, and just expose exactly what you want them to see. Most control, but messy to set up and keep up to date.