How to restrict a user from accessing a particular application?
I want to restrict an application being opened under ordinary privileges. Only root shall run the application, so that contents wont be seen by others and they wont change anything.
There should be a better way to do this (maybe with AppArmor?) but you can always change the permissions of the executable. Suppose you want to disable access to nano
. Their default permissions are as follows:
➜ ls -la /bin/nano
-rwxr-xr-x 1 root root 192008 Oct 1 15:12 /bin/nano
It can be executed by owner, group and others. To maintain only owner execution you can use
sudo chmod g-x /bin/nano
sudo chmod o-x /bin/nano
After this, if you execute it in a terminal as an ordinary user:
➜ nano
bash: /usr/bin/nano: Permission denied
Please note that this is not a bullet-proof solution. If the application you want to lock has other entry points they could still be accessed. For example, if you tried the same trick with Firefox:
➜ ls -la /usr/bin/firefox
lrwxrwxrwx 1 root root 25 Jan 17 08:26 /usr/bin/firefox -> ../lib/firefox/firefox.sh
Even if you limited access to /usr/bin/firefox
, as it is just a link to /usr/lib/firefox/firefox.sh
it could be still be executed by there (or using /usr/lib/firefox/firefox
, which is used in the .sh file).