Limit User’s Access [ Linux ]
The Restricted Shell will limit the users from executing most commands and from changing the current working directory. The Restricted Shell will impose the following restrictions to the users:
- It will not allow you to execute cd command. So you can’t go anywhere. You can simply stay in the current working directory.
- It will not allow you to modify the values of $PATH, $SHELL, $BASH_ENV or $ENV environmental variables.
- It will not allow you to execute a program that contains a /(slash) character. For example, you can’t run /usr/bin/uname or ./uname command. You can however execute uname command. In other words, you are allowed to run the commands in the current path only.
- You can’t redirect the output using ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
- It will not allow you to get out of the restricted shell mode within scripts.
- It will not allow you to turn off restricted shell mode with ‘set +r’ or ‘set +o restricted’.
This can be very useful when a large number of users are using a shared system. So, If you want to allow the users to execute only specific commands, Restricted Shell is one way to do this.
Limit User’s Access To The Linux System Using Restricted Shell
First, create a symlink called rbash from Bash as shown below. The following commands should be run as root user.
# ln -s /bin/bash /bin/rbash
Next, create an user called “udev” with rbash as his/her default login shell.
# useradd udev -s /bin/rbash
Set password to the new user.
# passwd udev
Create a bin directory inside the home folder of the the new user.
# mkdir /home/udev/bin
Now, we need to specify which commands the user can run.
Here, I am going to let the user to run only “ls”, “mkdir”, and “ping” commands. You can assign any commands of your choice.
To do so, run the following commands:
# ln -s /bin/ls /home/udev/bin/ls# ln -s /bin/mkdir /home/udev/bin/mkdir# ln -s /bin/ping /home/udev/bin/ping
Now, you understand why we created the “bin” directory in the earlier step. The users can’t run any commands except the above three commands.
Next, prevent the user from modifying .bash_profile.
# chown root. /home/udev/.bash_profile# chmod 755 /home/udev/.bash_profile
Edit /home/udev/.bash_profile file:
# vi /home/udev/.bash_profile
Modify the PATH variable like below.
[...]
PATH=$HOME/bin
[...]