How To Limit User’s Access To The Linux System

Limit User's Access To The Linux System

One of my Friend asked me how to allow an user to do only certain tasks, and execute certain commands. The user shouldn’t change the environment variables/paths, can’t visit to the other directories except his home directory, can’t switch to other users etc. The user can only be able to execute few commands assigned by the system administrator. Is that possible? Yes! This is where Restricted Shell comes in help. Using Restricted Shell, we can easily limit user’s access to the linux system. Once you put the users in restricted shell mode, they are allowed to execute only limited set of commands.

In this brief tutorial, we will talk about how to do this in Linux. I tested this guide on CentOS 7 minimal server. However, It will work on most Unix-like distributions.

Limit User’s Access To The Linux System Using Restricted Shell

What is Restricted Shell?

Let me clarify what exactly Restricted Shell is. Don’t think it’s a separate shell such as Bash, Korn Shell. If you start any existing shell using rbash, –restricted, -r options, then It will become Restricted shell. Say for example, The Bourne shell can be started as a restricted shell with the command bsh -r, and the Korn shell with the command ksh -r.

The Restricted Shell will limit the users from executing most commands and from changing the current working directory. The Restricted Shell will impose the following restrictions to the users.

  • It will not allow you to execute cd command. That means you can’t go anywhere, just stay in the current working directory.
  • It will not allow you to modify the values of $PATH, $SHELL, $BASH_ENV, or $ENV environmental variables.
  • It will not allow you to execute a program that contains a /(slash) character. Say for example, you can’t run /usr/bin/uname or ./uname command. You can however execute uname command. It means that you are allowed to run the commands in the current path.
  • You can’t redirect the output using‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
  • It will not allow you to get out of the restricted shell mode within scripts.
  • It will not allow you to Turn off restricted shell mode with ‘set +r’ or ‘set +o restricted’.

This can be very useful when a large number of users are using a shared system. So, If you want to allow the users to execute only specific commands, Restricted Shell is one way to do this.

Using Restricted Shell mode

First, create a symlink called rbash from Bash as shown below. The following commands should be run as root user.

ln -s /bin/bash /bin/rbash

Next, create an user called “ostechnix” with rbash as his/her default login shell.

useradd ostechnix -s /bin/rbash

Set password to the new user.

passwd ostechnix

Create a bin directory inside the home folder of the the new user.

mkdir /home/ostechnix/bin

Now, we need to specify which commands the user can run.

Here, I am going to let they user to run only “ls”, “mkdir”, and “ping” commands. You can assign as many as commands you wish.

To do so, run the following commands:

ln -s /bin/ls /home/ostechnix/bin/ls
ln -s /bin/mkdir /home/ostechnix/bin/mkdir
ln -s /bin/ping /home/ostechnix/bin/ping

Now, you understand why we created the “bin” directory. The users can’t run any commands except the above three commands.

Next, prevent the user from modifying .bash_profile.

chown root. /home/ostechnix/.bash_profile
chmod 755 /home/ostechnix/.bash_profile

Edit /home/ostechnix/.bash_profile file:

vi /home/ostechnix/.bash_profile

Modify the PATH variable like below.

PATH=$HOME/bin

Save and close the file by pressing ESC key followed by !q.

Now when the user logs in, the restricted shell(rbash) will run as the default login shell and read the .bash_profile, which will set PATH to $HOME/bin so that the user will only be able to run the ls, mkdir and ping commands. The restricted shell will not allow the user to change PATH, and the permissions on .bash_profile will not allow the user to alter the environment to bypass the restrictions during the next login session.

Verifying Rbash

Now, log out from root user and log in to the newly created user i.e ostechnix in our case.

Then, run some commands to check whether it works or not. For example, I want to clear the Terminal.

To do so, I ran:

clear

Sample output:

-rbash: clear: command not found

You can’t come use cd command to change to the different directory.

cd /root

Sample output:

-rbash: cd: restricted

You can’t redirect the output using > operator either.

cat > file.txt

Sample output:

-rbash: file.txt: restricted: cannot redirect output

The user “ostechnix” is allowed to use only the commands assigned by you(the system admin, of course). In our case, the user can execute ls, mkdir and ping commands.

ls
mkdir dir1
ping ostechnix.com

Apart from these three commands, the user can’t do anything. S/He is completely under your control. If you want to assign more commands to him/her, log in to the root user again and assign the commands as shown below.

For example, I want to allow him/her to execute rm command, so I ran the following command as root user.

ln -s /bin/mkdir /home/ostechnix/bin/rm

That’s all for today.

For more details, refer the man pages in the link given below.

Hope this helps. If you like guide, please share it on your social networks and support us.

Cheers!

Thanks for stopping by!

How can I benefit from this blog:

Have a Good day!!

You may also like...