https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255127#M33508 Hi All,<BR /><BR />How can we restrict a user when he access a linux machine can't go to any folder other than the one that he access to it upon login, also restrict him to use just specific commands and can't use anything else.<BR /><BR />Appreciate any help here.<BR /><BR />Thanks,<BR /> Wed, 20 Aug 2008 12:53:26 GMT M.S 2008-08-20T12:53:26Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255127#M33508 Hi All,<BR /><BR />How can we restrict a user when he access a linux machine can't go to any folder other than the one that he access to it upon login, also restrict him to use just specific commands and can't use anything else.<BR /><BR />Appreciate any help here.<BR /><BR />Thanks,<BR /> Wed, 20 Aug 2008 12:53:26 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255127#M33508 M.S 2008-08-20T12:53:26Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255128#M33509 Use restricted shell - <A href="http://felipecruz.com/blog_restricte-linux-users-to-their-home.php" target="_blank">http://felipecruz.com/blog_restricte-linux-users-to-their-home.php</A><BR /><BR />regards,<BR />ivan Wed, 20 Aug 2008 13:00:22 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255128#M33509 Ivan Krastev 2008-08-20T13:00:22Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255129#M33510 Hi Ivan,<BR /><BR />I'm using rhel5, and i can't find bash2 package. Is it still in use.<BR /><BR />Regards,<BR /> Wed, 20 Aug 2008 13:32:42 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255129#M33510 M.S 2008-08-20T13:32:42Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255130#M33511 See RH document - just copy bash to rbash - <A href="http://kbase.redhat.com/faq/FAQ_35_3940.shtm" target="_blank">http://kbase.redhat.com/faq/FAQ_35_3940.shtm</A><BR /><BR />regards,<BR />ivan Wed, 20 Aug 2008 13:35:32 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255130#M33511 Ivan Krastev 2008-08-20T13:35:32Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255131#M33512 Hi Ivan,<BR /><BR />Thx for your help here, i still have an issue where i want to restrict this to use just specific command. Like just use ping and traceroute and nothing else at all (he can't create read write and do anything other than the predifined commands)<BR /><BR />Is there a way to do that <BR /><BR />Thx <BR /> Wed, 20 Aug 2008 13:45:36 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255131#M33512 M.S 2008-08-20T13:45:36Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255132#M33513 Shalom,<BR /><BR />Try chroot<BR /><BR /><BR /><A href="http://www.howtoforge.com/chrooted_ssh_howto_debian" target="_blank">http://www.howtoforge.com/chrooted_ssh_howto_debian</A><BR /><BR />Number of good solutions.<BR /><BR />Not easy but air tight secure.<BR /><BR />SEP Wed, 20 Aug 2008 21:26:26 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255132#M33513 Steven E. Protter 2008-08-20T21:26:26Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255133#M33514 What about modifying you system to serve the purpose.<BR /><BR />Create two new groups<BR />1) restricted<BR />2) free<BR /><BR />restricted: to which all the user whom you want to restrict will belong.<BR /><BR />free: all the free and happy users will belong<BR /><BR />then create a directory say /rec_bin(or whatever u want to call it) and copy all the commands(to be used by restricted users) from /usr/bin /bin to this directory. make this directory readable and executable by restricted group.<BR /><BR />Change the permission of /bin /usr/bin /sbin etc etc. to disallow anybody except the owner and the free group.<BR /><BR />In this way the restricted users wont' be able to access all the commands on the system but they will be able to run the commands kept in /rec_bin<BR /><BR />Sri Thu, 21 Aug 2008 05:27:02 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255133#M33514 Srimalik 2008-08-21T05:27:02Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255134#M33515 Ivan, <BR />Try to run bash from the "rbash" environment. On centos5, users that are logged into rbash are able to switch to bash (where "cd" is not restricted) simply by typing "bash".<BR />I'm not sure whether it was designed that way on purpose... Thu, 21 Aug 2008 06:47:46 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255134#M33515 Alexander Chuzhoy 2008-08-21T06:47:46Z https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255135#M33516 Just changing the shell to rbash isn't sufficient because you need to control what's in $PATH. At a minimum, you need:<BR /><BR />1. restricted shell (like rbash)<BR />2. directory with symlinks to permitted commands<BR />3. read-only custom login script to set PATH to only contain that directory of symlinks<BR />4. read-only home directory<BR /> Thu, 21 Aug 2008 15:14:46 GMT https://community.hpe.com/t5/operating-system-linux/linux-security/m-p/4255135#M33516 Heironimus 2008-08-21T15:14:46Z