Is it possible to only allow a few commands on ssh?

Like only the mysql command string allowed to clients on SSH?

sure, just delete all the ones you don't want them to have.

interesting..
can tell me where can I edit/remove these commands

Originally posted by host911
interesting..
can tell me where can I edit/remove these commands

hmm.. that was my next question :rolleyes:

Hey there,

First of all there is a few methods.

Using permissions is the easiest. If you don't want a user to have access to say rm (located at /bin/rm). You could set chmod 750 /bin/rm . This would allow only the root user and the root group (default permission for /bin/rm is root.root) to execute the file.

If you want you could create a group called "safeusers", add the user you want to be allowed to run the command to that group then chown root.safeusers /bin/rm .

The second method, and more significantly difficult one is to setup a chroot jail. An appropriate piece of software can be found at http://www.gsyc.inf.uc3m.es/~assman/jail/ . This however, while giving you complete control, may or may not work depending on your setup and your requested capabilities.

Finally, you could use /etc/bashrc with a Bourne Again SHell to make any commands you don't want the user to execute execute something else (ie. if they specify something matching */rm* it instead executes a script that says "Sorry, you can't do that"). I've never tried this however and unless you are very much on the ball this can be circumvented.

Docs at: http://www.gnu.org/manual/bash-2.05a/html_node/bashref_toc.html#SEC_Contents .

Cheers,

Stuart

Something just posted you may be interested in:

http://www.webhostingtalk.com/showthread.php?s=&threadid=70795

Cheers,

Stuart

Posting in the correct place this time. Sheesh! On my first post I hit the "new thread" button instead of "post reply". Forgive this newbie her clumsy fingers! :-)


The command shell program is usually bash on Linux systems, and if bash is started with the -r option, or if it is called with the name rbash, then it will start up in a restricted mode.

In a resticted shell, the following things are not allowed to be done
· changing directories with cd
· setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
· specifying command names containing /
· specifying a file name containing a / as an argument to the . builtin command
· Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
· importing function definitions from the shell environment at startup
· parsing the value of SHELLOPTS from the shell environment at startup
· redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
· using the exec builtin command to replace the shell with another command
· adding or deleting builtin commands with the -f and -d options to the enable builtin command
· specifying the -p option to the command builtin command
· turning off restricted mode with set +r or set +o restricted.



You can further restrict things by editing the users bash startup file (.bash_profile) to change their default command path.

So if I wanted to restrict the user jsmith to only being able to view his files I would do this:

- Create a symbolic link to allow me to start bash using the name rbash: ln -s /bin/bash /bin/rbash
- Edit /etc/passwd to change jsmith's command shell from /bin/bash to /bin/rbash. The shell is the last entry on the line containing jsmiths info.
- Create a new directory to hold symbolic links to the commands I want to allow: mkdir /bin/restricted
- Create the symbolic links for the programs I want to allow: ln -s /bin/ls /bin/restricted/ls
- Edit the users .bash_profile to change the PATH variable which lists the directories that will be searched for commands. Delete the old PATH statements in the file and add one that says: PATH=/bin/restricted
- Change the ownership and permission of the .bash_profile so the user can read it, but not write to it: chown root.root .bash_profile ; chmod 644 .bash_profile
- The ownership and permissions of the .bashrc and .bash_logout files should be changed as well, and .bashrc should be checked for lines that set PATH. If there are any they should be removed.

At this point I'm done. The user can now login and the only commands he can execute are ls to view his files, and those few commands that are built in to the bash shell itself.


Implementing this kind of scheme on your own server will take some tweaking, of course. There are bound to be some commands you will need to give the user which aren't obvious at first, so you would probably want to create a test user to play with until you have it figured out.

If you give a user a restricted shell, then that user will not be allowed to login via ftp, so you wouldn't want to do this for a user who is a website administrator since he would no longer be able to upload his files.

hmm

Permissions is the way to go then :)

Anyone like to list or know where a list is with typical permissions to linux files?

Or do i have to go file by file and know what each file does..?

:bawling:

Also another question which commands do you think should not be given to users.?:confused:

One more note. Don't forget to prevent the Apache user from executing these commands too.

Keep in mind that anything the Apache user can do, all other users can do. (This includes reading other customers PHP files and getting their MySQL passwords, but that is another issue :rolleyes:.)

Originally posted by host911
Also another question which commands do you think should not be given to users.?:confused:

su
suexec

:D

Picture yourself running a website. Do a few basic things and do one or two advanced things. Make a list of the commands you use and include those only...

If anyone wants another command include it.

Originally posted by Eris
Posting in the correct place this time. Sheesh! On my first post I hit the "new thread" button instead of "post reply". Forgive this newbie her clumsy fingers! :-)


The command shell program is usually bash on Linux systems, and if bash is started with the -r option, or if it is called with the name rbash, then it will start up in a restricted mode.

In a resticted shell, the following things are not allowed to be done
· changing directories with cd
· setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
· specifying command names containing /
· specifying a file name containing a / as an argument to the . builtin command
· Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
· importing function definitions from the shell environment at startup
· parsing the value of SHELLOPTS from the shell environment at startup
· redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
· using the exec builtin command to replace the shell with another command
· adding or deleting builtin commands with the -f and -d options to the enable builtin command
· specifying the -p option to the command builtin command
· turning off restricted mode with set +r or set +o restricted.



You can further restrict things by editing the users bash startup file (.bash_profile) to change their default command path.

So if I wanted to restrict the user jsmith to only being able to view his files I would do this:

- Create a symbolic link to allow me to start bash using the name rbash: ln -s /bin/bash /bin/rbash
- Edit /etc/passwd to change jsmith's command shell from /bin/bash to /bin/rbash. The shell is the last entry on the line containing jsmiths info.
- Create a new directory to hold symbolic links to the commands I want to allow: mkdir /bin/restricted
- Create the symbolic links for the programs I want to allow: ln -s /bin/ls /bin/restricted/ls
- Edit the users .bash_profile to change the PATH variable which lists the directories that will be searched for commands. Delete the old PATH statements in the file and add one that says: PATH=/bin/restricted
- Change the ownership and permission of the .bash_profile so the user can read it, but not write to it: chown root.root .bash_profile ; chmod 644 .bash_profile
- The ownership and permissions of the .bashrc and .bash_logout files should be changed as well, and .bashrc should be checked for lines that set PATH. If there are any they should be removed.

At this point I'm done. The user can now login and the only commands he can execute are ls to view his files, and those few commands that are built in to the bash shell itself.


Implementing this kind of scheme on your own server will take some tweaking, of course. There are bound to be some commands you will need to give the user which aren't obvious at first, so you would probably want to create a test user to play with until you have it figured out.

A few problems with this (and hey it's a problem with pretty much any solution, so) is that a user can still upload a file to run it, even if you don't allow them access to the binary file on your system, they can just run their own. Also, remember to set the immutable attribute on the file you don't want them to be able to modify. There are a few other problems and faults, but it might be something people can get ideas from on a road to better configuring their server.

Even if they upload a binary program they won't be able to run it as long as you don't put their home directory or . in the PATH. If the path doesn't include the home or current directories then to run the program they'd have to use ./progname to run the program, but the restricted shell doesn't allow using the ./ construct.

Immutable is a good call, though. Thanks!

CHMOD 600 or CHMOD 700 a command. For example if you dont want anyone using LOCATE

do CHMOD 600 /usr/bin/locate

no-one will be able to use that except you the administrator. If at anytime you want to restore the ability to use it again use:

CHMOD 755 or CHMOD 644 I think
:)