Sometimes in a business a Linux PC will be used by more than one person. In these cases it may be desirable to have access control to some programs, such as Firefox. Yes, a company can create a usage policy to cover this. However, a usage policy is only as good as the enforcement of that policy. As well as creating a policy, why not also remove temptation by creating access control for some programs?

For our example we will use Firefox. Mainly because web browsing can be a huge waste of time = money and network resources. Most companies do not pay employees to browse the web and post entries on their personal F???book page. Controlling access to Firefox will mitigate this problem. These instructions can be used for any program under a Linux based desktop PC. Just substitute the proper path and file name for other programs in place of Firefox.

Simple Example
... to make Firefox available only to 'root' (administrator) or sudo users

• If running a GUI under X then open a terminal such as xterm, konsole or gnome-terminal and then switch to the root user:
  $ su - root
  Password:
  [root@erartr ~]#
• Or login as root at the console. Hold down Ctrl Alt and press F1 if X is running to get to a console login.
• Find the location of the firefox executable.
  Possible commands to use:
  • locate firefox|grep usr/
    Or a better one:
  • find / -type f -iname firefox
• In our case on Mandriva Linux 2010.2 there is /usr/lib/firefox-3.6.18/firefox. This is linked to with /usr/bin/firefox, but we can ignore the link and just work on the "real" file:
  -rwxr-xr-x 1 root root 96068 2011-06-21 12:10 /usr/lib/firefox-3.6.18/firefox
  NOTE: When Firefox gets upgraded to a new release this process to restrict it will need to be done again.
• Issue the command:
  • chmod 750 /usr/lib/firefox-*/firefox
    The "*" will make this work no matter which version of Firefox is installed, or if multiple versions are installed.
• Now try to run the command as a regular user:
  $ firefox
  -bash: /usr/bin/firefox: Permission denied
• That is it. Only 'root' or users with 'sudo' access can run the program. In most sudo installs just adding a user to the wheel group gives access to all commands with sudo:
  # usermod -G wheel gene
  This essentially makes the user gene an administrator who can run restricted programs, such as our newly restricted Firefox. If sudo is not installed, install it. On Mandriva one can install sudo with this command as root in a terminal (xterm, etc.): urpmi sudo

Simplified Steps for the Simple Example

Open a terminal
su - root
find / -type f -iname firefox
chmod 750 /path/to/your*/firefox
exit - from root
exit - from the terminal

More Complex Example

Coming soon ...