Serverspace accelerated the answering of support requests by 40%
June 27, 2023
Updated July 25, 2023

Restricting Linux user permissions

Debian Security

Linux is a significant part of modern network infrastructure that allows fine—grained control over system resources. One of the ways this control can be exercised is by restricting user permissions. By default, Linux systems are set up with a multi—user environment that allows multiple users to log in simultaneously and perform tasks on the system.

However, not all users require access to all system resources or have the same level of trustworthiness. To address these concerns, administrators can use various techniques to restrict user permissions so that each user has only the necessary level of access to perform their tasks. One of the software we consider in that instruction.


Restricting user rights involves configuring security parameters of different config files: users, groups of users or processes. This can be done using built—in system permission, user groups or tools like AppArmor. System permission gives access to specific information systems subjects.

Availabilities such as writing, reading and executing access to the object of the file system. AppArmor and other software can be security modules which provide security services via the MAC concept and confinement process subset of the system.

Install and exploit

Before using the main utility update and upgrade your system :

sudo apt update —y && sudo apt upgrade —y
Update OS
Screenshot №1 — Update OS

Install the needed package for creating a profile and log file:

sudo apt install apparmor—utils apparmor
Install utility
Screenshot №2 — Install utility

And check utilities for the packet:

Install addition
Screenshot №3 — Install addition

The process will be structured as follows: we create a profile for users that start scanning their actions and movement, start needed for the user program, which impact with their process and therefore we can collect all log files and set permission on it. First, create a profile with the user which you need to restrict:

sudo aa—genprof —h
Help option
Screenshot №4 — Help option

We can see a template of the program syntaxis and fill the gaps following that example:

sudo aa—genprof sudo
Scanning process
Screenshot №5 — Scanning process

You can use any parameter on the screen below, but we use the default setting. Now, as you can see in the instruction, we have to create a new window in our remote program application:

New tab
Screenshot №6 — New tab

Start all the programs, that you need to use and wait, now absolutely starting, requiring process writing in log journal:

Start application
Screenshot №7 — Start application

Go to the previous window and stop the process with press the letter F on your keyboard:

Stop scanning
Screenshot №8 — Stop scanning

Go to the log files and check Apparmor kernel process starts right:

sudo journalctl —k
Log files
Screenshot №9 — Log files

After we make sure that all processes start correctly, we need to update the log file in Apparmour :

Update files
Screenshot №10 — Update files

Start profile with enforce mode, which can turn up a system of MAC restrictions :

aa—enforce /usr/bin/sudo
Enforce boot
Screenshot №11 — Enforce boot


Restricting user permissions is an essential aspect of managing Linux systems. It allows administrators to ensure that users only have access to the necessary resources and reduces the risk of security breaches. AppArmor is a powerful tool that can help administrators restrict user permissions by defining specific profiles for users and their associated processes.

By following the steps outlined in this article, administrators can create AppArmor profiles and log files, analyze them, and enforce restrictions on user permissions. Ultimately, implementing these techniques will lead to a more secure and efficient Linux system. In the next episode, we consider a more deepest and most flexible configuration, don't tune the channel!

5 out of 5
Аverage rating : 5
Rated by: 1
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.