Open in app

Sign in

Write

Sign in

Limit User’s Access [ Linux ]

Lamjed JARRAY
2 min readMar 13, 2022

The Restricted Shell will limit the users from executing most commands and from changing the current working directory. The Restricted Shell will impose the following restrictions to the users:

  • It will not allow you to execute cd command. So you can’t go anywhere. You can simply stay in the current working directory.
  • It will not allow you to modify the values of $PATH, $SHELL, $BASH_ENV or $ENV environmental variables.
  • It will not allow you to execute a program that contains a /(slash) character. For example, you can’t run /usr/bin/uname or ./uname command. You can however execute uname command. In other words, you are allowed to run the commands in the current path only.
  • You can’t redirect the output using ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
  • It will not allow you to get out of the restricted shell mode within scripts.
  • It will not allow you to turn off restricted shell mode with ‘set +r’ or ‘set +o restricted’.

This can be very useful when a large number of users are using a shared system. So, If you want to allow the users to execute only specific commands, Restricted Shell is one way to do this.

Limit User’s Access To The Linux System Using Restricted Shell

First, create a symlink called rbash from Bash as shown below. The following commands should be run as root user.

# ln -s /bin/bash /bin/rbash

Next, create an user called “udev” with rbash as his/her default login shell.

# useradd udev -s /bin/rbash

Set password to the new user.

# passwd udev

Create a bin directory inside the home folder of the the new user.

# mkdir /home/udev/bin

Now, we need to specify which commands the user can run.

Here, I am going to let the user to run only “ls”, “mkdir”, and “ping” commands. You can assign any commands of your choice.

To do so, run the following commands:

# ln -s /bin/ls /home/udev/bin/ls# ln -s /bin/mkdir /home/udev/bin/mkdir# ln -s /bin/ping /home/udev/bin/ping

Now, you understand why we created the “bin” directory in the earlier step. The users can’t run any commands except the above three commands.

Next, prevent the user from modifying .bash_profile.

# chown root. /home/udev/.bash_profile# chmod 755 /home/udev/.bash_profile

Edit /home/udev/.bash_profile file:

# vi /home/udev/.bash_profile

Modify the PATH variable like below.

[...]
PATH=$HOME/bin
[...]

--

--

Lamjed JARRAY

Written by Lamjed JARRAY

0 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams