Restrict Linux users to their home directories only

last updated August 27, 2006 in Linux, Security

Q. How can I make sure that users can only access their own home directories?

A. You can use rbash i.e. restricted bash shell. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:

Changing directories with cd
Setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
Specifying command names containing /
Specifying a file name containing a / as an argument to the . builtin command
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
Importing function definitions from the shell environment at startup
Parsing the value of SHELLOPTS from the shell environment at startup
Redirecting output using the >, >|, , >&, &>, and >> redirection operators
Using the exec builtin command to replace the shell with another command
Adding or deleting builtin commands with the -f and -d options to the enable builtin command
Using the enable builtin command to enable disabled shell builtins
Specifying the -p option to the command builtin command
Turning off restricted mode with set +r or set +o restricted.

These restrictions are enforced after any startup files are read. When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell
spawned to execute the script.

Open /etc/passwd file and setup shell to /bin/rbash
# vi /etc/passwd

For example here is a sample entry for user vivek:
vivek:x:100:101::/home/vivek:/bin/rbash

Save and close the file.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

Become a Supporter Make a contribution via Paypal/Bitcoin

16 comment

surekha says:
November 1, 2007 at 12:54 pm
From Where I can get rbash
In my /bin no file is there by name rbash so, my telnet is terminating after entering password
as it is not finding rbash command
Frank Daley says:
March 27, 2008 at 7:25 am
cp /bin/bash /bin/rbash
will do the trick
Mike says:
January 30, 2009 at 2:58 pm
Hi!
While using a command line, this restriction works. But if I have mc (Midnight Commander) installed, then this ‘rbashed’ user just can use mc and browse the whole system.
Jasleen says:
May 17, 2009 at 1:24 pm
THANKS FRANK, IT WAS VERY USEFUL
actions says:
February 18, 2010 at 2:45 pm
how vnc other user restrict ?
1. Ahmad Issa says:
  May 17, 2010 at 7:25 am
  thanks that is very usefull
  how can i permit the users to use only ifconfig command to change the server IP
reijjo says:
August 12, 2010 at 4:55 pm
I can get out of ~ with everything but cd… I mean
pico /etc/passwd for example or ls /bin etc.
legolasthehansy says:
December 30, 2010 at 8:01 am
If you have /bin in your PATH, you can easily bypass rbash’s restrictive properties. See below,
[root@host ~]# !su
su – blah2010
-rbash-3.2$ cd /
-rbash: cd: restricted
-rbash-3.2$ bash
bash-3.2$ cd /
bash-3.2$ ls | wc -l
29
bash-3.2$
The key is to fine tune until you have the right setting. Nice post.
Simon says:
February 12, 2011 at 11:42 am
Hmmm….
it doesn’t work very well
Users can still execute command like
cat /home/another_user/public_html/includes/database_password.inc.php
More so SFTP and FTP doesn’t work once user’s bash has been changed to rbash
Vasily B. says:
June 9, 2012 at 2:10 am
You might also need to create a link between /bin/rbash and /bin/bash (because CentOS doesn’t ship with this link by default):
ln /bin/bash /bin/rbash
Gary says:
October 29, 2012 at 8:29 pm
Actually this is a limited success for instance a user can type tree / and get a complete listing of the tree structure and then have the ability to rm files in other directories. it does work fine for not allowing cd or executing scripts with a / but if someone really wants to do mischief this isnt going to restrict them
Malik Haider says:
December 22, 2012 at 8:32 am
I second Gary . I have connected user via FTP client / FTP browser and user still be able to access / up to the root and view files.
– I have tried this with FileZilla FTP Client > Login with user account > User account dropped to home directory (FINE) > however if i type / in (browsing ) user is able to see the Root and browse through the files .
I only want to restrict user only and only and only can have access to his home directory . Please assist .
A says:
March 1, 2013 at 11:00 am
‘cd’ command didn’t work for me. After log on to console I used ‘sh’ and then I could use cd command. At the same time it was preventing me to go to other users folder. All Good :)
DJ Delgado says:
February 28, 2014 at 7:52 am
Thank you. This helped me a lot :)
satish amrutwar says:
June 11, 2015 at 4:47 pm
hi
i want to restrict a user to home dir and he can access or save upto 100mb of data in that home dir only. Is it possible to perform this task.
Thanks in advance
Satish Amrutwar
bandar.s says:
November 10, 2015 at 8:24 am
Is there a way that we can have same restrictions for SFTP/FTP users?

Have a question? Post it on our forum!