Learn how to prevent Linux users from executing certain commands and confining them to their home directory by employing rbash.
You have users logging in to your Linux system. Those users might have not have sudo rights, but they quite possibly could have free rein to poke around most of the system directory tree. You don’t want that. Why? Although those users might not be able to edit the vast majority of your configuration files, you certainly don’t want those users viewing them. Same holds true for your client data–you want that locked down.
But how do you prevent users from being able to access your directory hierarchy without having to tweak the permissions of every file and folder on the system, which could seriously complicate things?
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
One way is by employing a tool called Restricted Bash (rbash). With rbash you can prevent a user from:
Using the cd command
Modifying the values of $PATH, $SHELL, $BASH_ENV, or $ENV
Executing programs that contain a /
Redirecting output using >, >|, <>, >&, &>, and >>
Get out of restricted mode within scripts
Turn off restricted mode
What you’ll need
How to create a test user
We’re going to create a test user on a system. We’ll call that user vega. We want to create the user such that their shell is rbash. This is done with the command:
sudo useradd -m vega -s /bin/rbash
You’ll then need to give the new user a password with the command:
sudo passwd vega
When prompted, type and verify a password for the new user.
How to create a directory
Now we’re going to create a directory for the new user that will house the only commands the user is allowed to run. Say, for instance, we want to allow the user to issue the commands mkdir, ls, and ssh. First let’s create the directory with the command:
sudo mkdir /home/vega/bin
Next, we’re going to create links into that newly created directory for the commands the user can run (again mkdir, ls, and ssh). To do this, issue the commands:
sudo ln -s /bin/mkdir /home/vega/bin sudo ln -s /bin/ls /home/vega/bin sudo ln -s /bin/ssh /home/vega/bin
How to prevent profile modification
Now we need to make sure the new user is unable to modify their .profile file. Before we can actually change the permissions and ownership of the .profile, you’ll need to log in as that user, so the file is created. After you’ve logged in, log back out and back in as a user with sudo privileges.
Change the ownership and permissions of the file with the commands:
sudo chown root. /home/vega/.profile sudo chmod 755 /home/vega/.profile
Log in to the server with the vega account and issue the command:
You should be informed that you are restricted from using the cd command (Figure A).
You can try any command you like, but only mkdir, ls, and ssh will work for the vega user.
And that’s how you can heavily restrict users on a Linux system with rbash. This is a really handy way to control what commands your users can execute and how they can move about within the directory structure.