Q. How can I make sure that users can only access their own home directories?
A. You can use rbash i.e. restricted bash shell. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:
- Changing directories with cd
- Setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
- Specifying command names containing /
- Specifying a file name containing a / as an argument to the . builtin command
- Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
- Importing function definitions from the shell environment at startup
- Parsing the value of SHELLOPTS from the shell environment at startup
- Redirecting output using the >, >|, , >&, &>, and >> redirection operators
- Using the exec builtin command to replace the shell with another command
- Adding or deleting builtin commands with the -f and -d options to the enable builtin command
- Using the enable builtin command to enable disabled shell builtins
- Specifying the -p option to the command builtin command
- Turning off restricted mode with set +r or set +o restricted.
These restrictions are enforced after any startup files are read. When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell
spawned to execute the script.
Open /etc/passwd file and setup shell to /bin/rbash
# vi /etc/passwd
For example here is a sample entry for user vivek:
vivek:x:100:101::/home/vivek:/bin/rbash
Save and close the file.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 9 comments… read them below or add one }
From Where I can get rbash
In my /bin no file is there by name rbash so, my telnet is terminating after entering password
as it is not finding rbash command
cp /bin/bash /bin/rbash
will do the trick
Hi!
While using a command line, this restriction works. But if I have mc (Midnight Commander) installed, then this ‘rbashed’ user just can use mc and browse the whole system.
THANKS FRANK, IT WAS VERY USEFUL
how vnc other user restrict ?
thanks that is very usefull
how can i permit the users to use only ifconfig command to change the server IP
I can get out of ~ with everything but cd… I mean
pico /etc/passwd for example or ls /bin etc.
If you have /bin in your PATH, you can easily bypass rbash’s restrictive properties. See below,
[root@host ~]# !su
su – blah2010
-rbash-3.2$ cd /
-rbash: cd: restricted
-rbash-3.2$ bash
bash-3.2$ cd /
bash-3.2$ ls | wc -l
29
bash-3.2$
The key is to fine tune until you have the right setting. Nice post.
Hmmm….
it doesn’t work very well
Users can still execute command like
cat /home/another_user/public_html/includes/database_password.inc.php
More so SFTP and FTP doesn’t work once user’s bash has been changed to rbash