The command shell program is usually bash on Linux systems, and if bash is started with the -r option, or if it is called with the name rbash, then it will start up in a restricted mode.
In a resticted shell, the following things are not allowed to be done
· changing directories with cd
· setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
· specifying command names containing /
· specifying a file name containing a / as an argument to the . builtin command
· Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
· importing function definitions from the shell environment at startup
· parsing the value of SHELLOPTS from the shell environment at startup
· redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
· using the exec builtin command to replace the shell with another command
· adding or deleting builtin commands with the -f and -d options to the enable builtin command
· specifying the -p option to the command builtin command
· turning off restricted mode with set +r or set +o restricted.
You can further restrict things by editing the users bash startup file (.bash_profile) to change their default command path.
So if I wanted to restrict the user jsmith to only being able to view his files I would do this:
- Create a symbolic link to allow me to start bash using the name rbash: ln -s /bin/bash /bin/rbash
- Edit /etc/passwd to change jsmith's command shell from /bin/bash to /bin/rbash. The shell is the last entry on the line containing jsmiths info.
- Create a new directory to hold symbolic links to the commands I want to allow: mkdir /bin/restricted
- Create the symbolic links for the programs I want to allow: ln -s /bin/ls /bin/restricted/ls
- Edit the users .bash_profile to change the PATH variable which lists the directories that will be searched for commands. Delete the old PATH statements in the file and add one that says: PATH=/bin/restricted
- Change the ownership and permission of the .bash_profile so the user can read it, but not write to it: chown root.root .bash_profile ; chmod 644 .bash_profile
- The ownership and permissions of the .bashrc and .bash_logout files should be changed as well, and .bashrc should be checked for lines that set PATH. If there are any they should be removed.
At this point I'm done. The user can now login and the only commands he can execute are ls to view his files, and those few commands that are built in to the bash shell itself.
Implementing this kind of scheme on your own server will take some tweaking, of course. There are bound to be some commands you will need to give the user which aren't obvious at first, so you would probably want to create a test user to play with until you have it figured out.