Operating System - HP-UX
1833788 Members
2664 Online
110063 Solutions
New Discussion

How to resrtict users from executing chown command?

 
SOLVED
Go to solution
Upul Edirisinghe
Contributor

How to resrtict users from executing chown command?

 
4 REPLIES 4
Steven Sim Kok Leong
Honored Contributor

Re: How to resrtict users from executing chown command?

Hi,

You can set ACL on the chown binary so that only userids in the ACL listing can execute the chown command.

ACL is available on HFS and JFS 3.3. man chacl on the syntax of setting it. Example:

# chacl '(abc.%,r-x)(def.%,r-x)' `which chown`

i.e. Only the users abc and def can execute the chown command.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: How to resrtict users from executing chown command?

This could help:

chmod 700 /bin/chown

Or set up a new group then change the group owner to the new one, then add the new group to the users you want to restrict chown.

Marco
Deshpande Prashant
Honored Contributor

Re: How to resrtict users from executing chown command?

Hi
Change permission on /sbin/chown to 554. It will allow only root (members on bin group) to execute this command.
# chmod 554 /sbin/chown
# ls -l /sbin/chown
r-xr-xr-- 1 bin bin 200704 Nov 7 1997 /sbin/chown.

Thanks.
Prashant Deshpande.
Take it as it comes.
Peggy Fong
Respected Contributor
Solution

Re: How to resrtict users from executing chown command?

Hi
CHOWN is a global privilege (see setprivgrp (1m)) test to be sure this is what you want.

# getprivgroup
global privilege: chown

# echo ?n > /etc/privgroup
# chmod 400 /etc/privgroup
To add CHOWN and other global comands for specific groups see the following example:

Example:
To add CHOWN and MLOCK for dba group or users.
echo dba CHOWN MLOCK >> /etc/privgroup

# sbin/init.d/set_prvgrp start

# getprivgrp
global privileges:
dba: MLOCK CHOWN

HTH
Peggy