Restrict Linux users to their home directories only

Q. How can I make sure that users can only access their own home directories?

A. You can use rbash i.e. restricted bash shell. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:

  1. Changing directories with cd
  2. Setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
  3. Specifying command names containing /
  4. Specifying a file name containing a / as an argument to the . builtin command
  5. Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
  6. Importing function definitions from the shell environment at startup
  7. Parsing the value of SHELLOPTS from the shell environment at startup
  8. Redirecting output using the >, >|, , >&, &>, and >> redirection operators
  9. Using the exec builtin command to replace the shell with another command
  10. Adding or deleting builtin commands with the -f and -d options to the enable builtin command
  11. Using the enable builtin command to enable disabled shell builtins
  12. Specifying the -p option to the command builtin command
  13. Turning off restricted mode with set +r or set +o restricted.

These restrictions are enforced after any startup files are read. When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell
spawned to execute the script.

Open /etc/passwd file and setup shell to /bin/rbash
# vi /etc/passwd

For example here is a sample entry for user vivek:

Save and close the file.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 16 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
16 comments… add one
  • surekha Nov 1, 2007 @ 12:54

    From Where I can get rbash

    In my /bin no file is there by name rbash so, my telnet is terminating after entering password
    as it is not finding rbash command

  • Frank Daley Mar 27, 2008 @ 7:25

    cp /bin/bash /bin/rbash

    will do the trick

  • Mike Jan 30, 2009 @ 14:58


    While using a command line, this restriction works. But if I have mc (Midnight Commander) installed, then this ‘rbashed’ user just can use mc and browse the whole system.

  • Jasleen May 17, 2009 @ 13:24


  • actions Feb 18, 2010 @ 14:45

    how vnc other user restrict ?

    • Ahmad Issa May 17, 2010 @ 7:25

      thanks that is very usefull

      how can i permit the users to use only ifconfig command to change the server IP

  • reijjo Aug 12, 2010 @ 16:55

    I can get out of ~ with everything but cd… I mean
    pico /etc/passwd for example or ls /bin etc.

  • legolasthehansy Dec 30, 2010 @ 8:01

    If you have /bin in your PATH, you can easily bypass rbash’s restrictive properties. See below,

    [root@host ~]# !su
    su – blah2010
    -rbash-3.2$ cd /
    -rbash: cd: restricted
    -rbash-3.2$ bash
    bash-3.2$ cd /
    bash-3.2$ ls | wc -l

    The key is to fine tune until you have the right setting. Nice post.

  • Simon Feb 12, 2011 @ 11:42


    it doesn’t work very well

    Users can still execute command like
    cat /home/another_user/public_html/includes/

    More so SFTP and FTP doesn’t work once user’s bash has been changed to rbash

  • Vasily B. Jun 9, 2012 @ 2:10

    You might also need to create a link between /bin/rbash and /bin/bash (because CentOS doesn’t ship with this link by default):
    ln /bin/bash /bin/rbash

  • Gary Oct 29, 2012 @ 20:29

    Actually this is a limited success for instance a user can type tree / and get a complete listing of the tree structure and then have the ability to rm files in other directories. it does work fine for not allowing cd or executing scripts with a / but if someone really wants to do mischief this isnt going to restrict them

  • Malik Haider Dec 22, 2012 @ 8:32

    I second Gary . I have connected user via FTP client / FTP browser and user still be able to access / up to the root and view files.
    – I have tried this with FileZilla FTP Client > Login with user account > User account dropped to home directory (FINE) > however if i type / in (browsing ) user is able to see the Root and browse through the files .
    I only want to restrict user only and only and only can have access to his home directory . Please assist .

  • A Mar 1, 2013 @ 11:00

    ‘cd’ command didn’t work for me. After log on to console I used ‘sh’ and then I could use cd command. At the same time it was preventing me to go to other users folder. All Good :)

  • DJ Delgado Feb 28, 2014 @ 7:52

    Thank you. This helped me a lot :)

  • satish amrutwar Jun 11, 2015 @ 16:47

    i want to restrict a user to home dir and he can access or save upto 100mb of data in that home dir only. Is it possible to perform this task.

    Thanks in advance
    Satish Amrutwar

  • bandar.s Nov 10, 2015 @ 8:24

    Is there a way that we can have same restrictions for SFTP/FTP users?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum