The /usr/sbin/userhelper program is used by the useradd, usermod, and other user administration utilities to provide a graphical interface for adding, modifying, or deleting user accounts. By default, any user can execute /usr/sbin/userhelper, which can be a security risk.
To restrict the execution of /usr/sbin/userhelper to console users only, follow these steps:
- Edit the
/etc/pam.d/userhelperfile using a text editor such asnanoorvi:sudo nano /etc/pam.d/userhelper
- Comment out the following line:
auth sufficient /lib/security/pam_rootok.so
- Add the following line after the commented-out line:
auth required pam_securetty.so
This line ensures that only console users can execute
/usr/sbin/userhelper. - Save the changes and exit the text editor.
In
nano, you can pressCtrl+Oto save the changes andCtrl+Xto exit.
That’s it! Now only console users will be able to execute /usr/sbin/userhelper. Other users will get a “Permission denied” error if they try to run it. (rpdrlatino.com)