Re: Limiting User Commands
Greetings,
* Osamu Aoki <osamu@debian.org> [2004-Nov-05 14:13 AKST]:
> On Fri, Nov 05, 2004 at 09:31:21AM -0800, Stephen Le wrote:
> > Is there an easy way to limit the commands a certain group of users
> > can execute?
>
> I never done this but..
>
> Use of chroot with bash started as rbash sems to be what you need.
>
> Or use of rbash with with PATH pointing to custom location where
> commands exist.
This is what I've done when I wanted to reduce the set of commands a
user could run. I'm sure a reasonably competant Unix user could easily
circumvent these restrictions, but it's a good first start, and making
such attempts would result in account suspension.
Change their shell to /bin/rbash in /etc/passwd:
bbonds:x:50539:50539:Barry Bonds,,,:/home/bbonds:/bin/rbash
Change the ownership and permissions on their .bash_profile and .bashrc
to root:root 644:
-rw-r--r-- 1 root root 420 Sep 21 13:05 .bash_profile
-rw-r--r-- 1 root root 746 Sep 21 13:05 .bashrc
Modify the PATH in whichever file you wish to a PATH that only includes
the commands you wish:
export PATH="/usr/local/rbin"
Make symbolic links between allowed commands and '/usr/local/rbin'
As I said before, this is just a simple attempt to reduce priviledge.
There are undoubtably ways around it, some easier than others depending
on what's in /usr/local/rbin.
Chris
--
Christopher S. Swingley email: cswingle@iarc.uaf.edu (work)
Intl. Arctic Research Center cswingle@gmail.com (personal)
University of Alaska Fairbanks www.frontier.iarc.uaf.edu/~cswingle/
Reply to: