Blocking Specific Commands and Utilities in Sudo

Sudo is a mechanism that enables a system administrator to give regular users permission to execute certain commands that they would normally not be allowed to use.

Which user can do what is defined by the contents of /etc/sudoers. Typically you should use visudo to edit this file. So how do you prevent a user from using sudo to run specific commands in a subdirectory like /usr/bin but allow the user to run other commands in that same directory?

Here is one way of doing it:

# list of commands alice may not run
Cmnd_Alias     BANNED = /usr/bin/su, /usr/bin/ksh, usr/bin/zsh

# alice may run any commands in the directory /usr/bin/ except for those
# commands belonging to the BANNED Cmnd_Aliases.
alice          ALL = /usr/bin/, !BANNED

Comments are closed.