In DirectAdmin you can block commands server-wide or only for specific user(s). The commands that can be blocked can be found at:
https://www.directadmin.com/api.html
https://www.directadmin.com/search_versions.php?help=no&versions=yes&query=CMD_API_
https://www.directadmin.com/search_versions.php?help=no&versions=yes&query=CMD_
A. Block DirectAdmin commands globally
To block commands for all the users on the server, you must use the never_commands setting in /usr/local/directadmin/conf/directadmin.conf file.
For example, to block the possibility of creating new admin accounts, use:
never_commands=CMD_ACCOUNT_ADMIN:CMD_API_ACCOUNT_ADMINRestart DirectAdmin with:
service directadmin restartB. Block DirectAdmin commands per user
For specific user blocking, you must use the files commands.allow and commands.deny. (this is very similar to the CSF files – csf.allow and csf.deny)
/usr/local/directadmin/data/users/USERNAME/commands.allow
/usr/local/directadmin/data/users/USERNAME/commands.denyIn the commands.allow you will have of course, the allowed commands and in the commands.deny, the blocked commands. These files do not exist by default, so you may need to create them. Add one command per line. Few rules to consider:
– commands.allow overrides commands.deny. If an item is in both, the command will be allowed.
DA help
– if commands.allow exists, but is empty, that User will not be able to do anything
– adding commands to commands.allow that do not exist in the given accounts access level won’t work
For example to block the USER11 ability to edit PHP settings, add the line
CMD_PHP_SETTINGSto the file
/usr/local/directadmin/data/users/USER11/commands.denyIf a user will try to execute a blocked command, a denied message will be shown:
You cannot execute that command
The request you've made cannot be executed because it does not exist in your authority level
Links:
never_commands
commands.allow and commands.deny
commands_force_deny