commend df -h

[djcart]

I would like remove comand "df -h" for users. How can I do this?

 

[Richard G]

You could change the permission for example:
chmod 750 /usr/bin/df which removes public read and excute rights.

Ofcourse change to where your df binary is residing.

 

[djcart]

You could change the permission for example:
chmod 750 /usr/bin/df which removes public read and excute rights.

Ofcourse change to where your df binary is residing.

Thank you, it worked, but for admin DirectAdmin, while for the rest of the users, unfortunately not

 

[djcart]

[root@server hostline]# chmod 750 /usr/bin/df

[root@server bin]# getfacl /usr/bin/df
getfacl: Usunięcie wiodącego '/' ze ścieżek bezwzględnych
# file: usr/bin/df
# owner: root
# group: root
user::rwx
group::r-x
other::---

[root@server bin]#

 

[Richard G]

Yes, that is good right? Or still have problems?

 

[djcart]

Unfortunately there is still a problem. The lack of consent to execute the command occurs only in the DirectAdmin panel when I switch my admin account to a user. For all other users, the command is still available.

For example:

[root@server bin]# which df
/usr/bin/df

[aleksand@server ~]$ which df
/usr/bin/df

 

[Richard G]

the command is still available.

Yes visible, but not usable anymore for them.
The which df only shows the location, not if they can execute it or not.

If a user can execute it, then I don't know how as only root has rights to execute. Unless the jailshell copies it with permissions for them.
But then I don't know how to disable it.

@Zhenyapan do you have some idea about this?

 

[Zhenyapan]

@Richard G no, sorry. Also I don't see reason why to disable it? Who cares how much disk space total while user has own quota and it not over-limited.

 

[djcart]

@Richard G no, sorry. Also I don't see reason why to disable it? Who cares how much disk space total while user has own quota and it not over-limited.

It is of great importance. This is not a discussion about it

 

[johannes]

Thats indeed of great importance. I asked a similar question about the netstat command here https://forum.directadmin.com/threads/how-to-restrict-commands-in-terminal.67643/#post-356755 , where even jailed users were able to see other DA usernames (and possibly would be able to collect them). There is obviously a need to restrict certain shell commands from public usage or view. Even in jailed shell.

 

[Richard G]

where even jailed users were able to see other DA usernames

Yes that is indeed something of great importance. I don't see why blocking a command as df -h would be.
However, if somebody wants it blocked, it should be possible to block it.

 

[EthernetServers]

It's worth noting that it's easy to get around blocking something like df -h

For example, assuming the user has permission to execute PHP, they could use the disk_free_space function. This works and gives accurate results even on systems running things like CloudLinux and CageFS.

Even if the user doesn't have PHP access, there's plenty of other ways to find that information.

 

[zEitEr]

I would like remove comand "df -h" for users. How can I do this?

You might use jailshell then. See https://www.directadmin.com/features.php?id=2740