diff --git a/sources/tech/20220915 How To Prevent Command Arguments With Sudo In Linux.md b/sources/tech/20220915 How To Prevent Command Arguments With Sudo In Linux.md new file mode 100644 index 0000000000..2fc8d97483 --- /dev/null +++ b/sources/tech/20220915 How To Prevent Command Arguments With Sudo In Linux.md @@ -0,0 +1,106 @@ +[#]: subject: "How To Prevent Command Arguments With Sudo In Linux" +[#]: via: "https://ostechnix.com/prevent-command-arguments-with-sudo/" +[#]: author: "sk https://ostechnix.com/author/sk/" +[#]: collector: "lkxed" +[#]: translator: " " +[#]: reviewer: " " +[#]: publisher: " " +[#]: url: " " + +How To Prevent Command Arguments With Sudo In Linux +====== +Allow an user to run commands with sudo, but without command arguments. + +In the previous article, we learned how to **[run commands in a directory as root via sudo][1]**. In this guide, we will see how to **prevent command arguments with sudo** in Linux. Meaning - we allow an user to run commands with sudo, but **without command arguments**. + +#### Contents + +1. Introduction +2. Prevent Command Arguments With Sudo +3. Prohibit Command Arguments With Sudo For All Users +4. Conclusion + +### Introduction + +As you know already, each command has different options to perform a specific action. Let us take **"ls"** command as an example. + +The `ls` command is used to list directory contents, right? Yes. The ls command ships with many command-line options and flags. For instance, you can use `-a` flag with `ls` command to list all contents(i.e. including the hidden files) in a directory. + +In this brief tutorial, we will see how to allow an user to run `ls` command via sudo, but only without the command line options or flags. Understood? Let me show you how to do it in the following sections. + +### Prevent Command Arguments With Sudo + +Edit `/etc/sudoers` file as `root` user: + +``` +[root@Almalinux8CT ~]# visudo +``` + +Add the following line: + +``` +user1 ALL=(root) /usr/bin/ls "" +``` + +![Deny Command Arguments With Sudo][2] + +**Notice the double quotes** at the end of the `ls` command in the above line. The double quotes prohibit the user from using the arguments of the given command (i.e. `ls` command). As per the above line, the user1 can run the `ls` command as `root`, but can't use the `ls` command's options/flags. You can use some other command of your choice. Save the file and close it. + +Now, log out from the root session and login as user1 and try to run `ls` command with any options as root via sudo from user1 session: + +``` +[user1@Almalinux8CT ~]$ sudo -u root ls -a +``` + +You will encounter with the following error: + +``` +Sorry, user user1 is not allowed to execute '/bin/ls -a' as root on Almalinux8CT. +``` + +You can, however, run `ls` command without its arguments: + +``` +[user1@Almalinux8CT ~]$ sudo -u root ls +``` + +![Prevent Command Arguments With Sudo][3] + +### Prohibit Command Arguments With Sudo For All Users + +The above example showed you how to deny an user to execute a command with its arguments as `root` user. What if you want to apply this rule to all users? Simple! Just add the following line in the `/etc/sudoers` file: + +``` +ALL ALL=(root) /usr/bin/ls "" +``` + +Now all users in your Linux machine can't run `ls` command with its flags. + +To revert back to the default setting, just remove the command along with the double quotes. Or, remove the whole line. + +For more details, refer the man pages. + +``` +$ man sudoers +``` + +### Conclusion + +In this guide, we learned how to allow an user to run a command using sudo, but prevent them from adding any arguments to the command. This way we can restrict the users from misusing any commandline arguments. + +-------------------------------------------------------------------------------- + +via: https://ostechnix.com/prevent-command-arguments-with-sudo/ + +作者:[sk][a] +选题:[lkxed][b] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://ostechnix.com/author/sk/ +[b]: https://github.com/lkxed +[1]: https://ostechnix.com/run-programs-in-a-directory-via-sudo/ +[2]: https://ostechnix.com/wp-content/uploads/2022/09/Deny-Command-Arguments-With-Sudo.png +[3]: https://ostechnix.com/wp-content/uploads/2022/09/Prevent-Command-Arguments-With-Sudo.png