Learn how to prevent Linux users from executing certain commands and confining them to their home directory by employing rbash.

How to use Restricted Shell to limit user access to a Linux system Watch Now

You have users logging in to your Linux system. Those users might have not have sudo rights, but they quite possibly could have free rein to poke around most of the system directory tree. You don't want that. Why? Although those users might not be able to edit the vast majority of your configuration files, you certainly don't want those users viewing them. Same holds true for your client data--you want that locked down.

But how do you prevent users from being able to access your directory hierarchy without having to tweak the permissions of every file and folder on the system, which could seriously complicate things?

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

One way is by employing a tool called Restricted Bash (rbash). With rbash you can prevent a user from:

Using the cd command

Modifying the values of $PATH, $SHELL, $BASH_ENV, or $ENV

Executing programs that contain a /

Redirecting output using >, >|, <>, >&, &>, and >>

Get out of restricted mode within scripts

Turn off restricted mode

What you'll need

A running instance of Linux

A user with sudo privileges

How to create a test user

We're going to create a test user on a system. We'll call that user vega. We want to create the user such that their shell is rbash. This is done with the command:

sudo useradd -m vega -s /bin/rbash

You'll then need to give the new user a password with the command:

sudo passwd vega

When prompted, type and verify a password for the new user.

How to create a directory

Now we're going to create a directory for the new user that will house the only commands the user is allowed to run. Say, for instance, we want to allow the user to issue the commands mkdir, ls, and ssh. First let's create the directory with the command:

sudo mkdir /home/vega/bin

Next, we're going to create links into that newly created directory for the commands the user can run (again mkdir, ls, and ssh). To do this, issue the commands:

sudo ln -s /bin/mkdir /home/vega/bin sudo ln -s /bin/ls /home/vega/bin sudo ln -s /bin/ssh /home/vega/bin

How to prevent profile modification

Now we need to make sure the new user is unable to modify their .profile file. Before we can actually change the permissions and ownership of the .profile, you'll need to log in as that user, so the file is created. After you've logged in, log back out and back in as a user with sudo privileges.

Change the ownership and permissions of the file with the commands:

sudo chown root. /home/vega/.profile sudo chmod 755 /home/vega/.profile

Testing

Log in to the server with the vega account and issue the command:

cd /

You should be informed that you are restricted from using the cd command (Figure A).

Figure A

You can try any command you like, but only mkdir, ls, and ssh will work for the vega user.

And that's how you can heavily restrict users on a Linux system with rbash. This is a really handy way to control what commands your users can execute and how they can move about within the directory structure.

Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today

Also see