Results 1 to 2 of 2
  1. #1

    You can give the user a restricted shell

    The command shell program is usually bash on Linux systems, and if bash is started with the -r option, or if it is called with the name rbash, then it will start up in a restricted mode.

    In a resticted shell, the following things are not allowed to be done
    changing directories with cd
    setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
    specifying command names containing /
    specifying a file name containing a / as an argument to the . builtin command
    Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
    importing function definitions from the shell environment at startup
    parsing the value of SHELLOPTS from the shell environment at startup
    redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
    using the exec builtin command to replace the shell with another command
    adding or deleting builtin commands with the -f and -d options to the enable builtin command
    specifying the -p option to the command builtin command
    turning off restricted mode with set +r or set +o restricted.



    You can further restrict things by editing the users bash startup file (.bash_profile) to change their default command path.

    So if I wanted to restrict the user jsmith to only being able to view his files I would do this:

    - Create a symbolic link to allow me to start bash using the name rbash: ln -s /bin/bash /bin/rbash
    - Edit /etc/passwd to change jsmith's command shell from /bin/bash to /bin/rbash. The shell is the last entry on the line containing jsmiths info.
    - Create a new directory to hold symbolic links to the commands I want to allow: mkdir /bin/restricted
    - Create the symbolic links for the programs I want to allow: ln -s /bin/ls /bin/restricted/ls
    - Edit the users .bash_profile to change the PATH variable which lists the directories that will be searched for commands. Delete the old PATH statements in the file and add one that says: PATH=/bin/restricted
    - Change the ownership and permission of the .bash_profile so the user can read it, but not write to it: chown root.root .bash_profile ; chmod 644 .bash_profile
    - The ownership and permissions of the .bashrc and .bash_logout files should be changed as well, and .bashrc should be checked for lines that set PATH. If there are any they should be removed.

    At this point I'm done. The user can now login and the only commands he can execute are ls to view his files, and those few commands that are built in to the bash shell itself.


    Implementing this kind of scheme on your own server will take some tweaking, of course. There are bound to be some commands you will need to give the user which aren't obvious at first, so you would probably want to create a test user to play with until you have it figured out.

  2. #2

    Total newbie indeed

    This was meant to be a reply, not a new thread, but the system won't let me delete it. Would one of the moderators be so kind as to delete this thread?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •