Limit execution to specific users

[KernelOops]

Does anyone know if it is possible to restrict execution of /usr/bin/perl (or other similar /usr/bin file) to a specific list of users?

Thank you.

[jlehtone]

File permissions? (If complex, then with ACLs.)
SELinux contexts?

That can get tricky, if system service with various accounts use those executables.
Furthermore, does 'dnf update' (re)set permissions?

[KernelOops]

Indeed its tricky.

The packages that I've seen, do not reset file permissions for existing and modified files, so that is not a problem.

A simple binary like /usr/bin/wget can be easily restricted via file permissions, like 0700 (-rwx------), then only root is able to run wget.

But, as you mention above, this will cause many problems for a binary file that is executed by system services that run as their own user, for example /usr/bin/perl.

I don't know how to use ACLs, maybe someone who knows more could provide some information. I'll take a look at SELinux and see if there is anything close to what I want.

[gostal]

Perhaps ordinary file permissions suffice.

Create a specific group for the Program in point e.g. Progusers. Choose a descriptive name.
Set the group of the program to be that group instead of root.
Set permissions to 774 or 754 if group members should not be able to change the file, only run it. Restrict world access to 4 or 0.
Make all users allowed to run the program a member of Progusers

Should work if not selinux gets in the way but it should be possible to create a rule for that purpose should it occur.