topic Re: restricted shell access for user acct in Operating System - Linux

restricted shell access for user acct

Rick Garland — Mon, 19 May 2003 19:38:56 GMT

Hi all:

RH Linux As 2.1 is the OS.

Got a user acct I have setup, need to restrinct access of this acct. Allow it to traverse down the directory it is restricted to - do not all it to come.

Any ideas?

Many thanks

Re: restricted shell access for user acct

Steven E. Protter — Mon, 19 May 2003 20:16:31 GMT

/sbin/nologin

As the SHELL in /etc/passwd will obviously preven login.

Perhaps the chroot command in the .bash_profile

I thought there was a restricted shell like in HP-UX but can't find it on my systems.

SEP

Re: restricted shell access for user acct

Steven E. Protter — Mon, 19 May 2003 20:27:46 GMT

Or. PErhaps I could ACTUALLY do my homework.

http://www.europe.redhat.com/documentation/HOWTO/Adv-Bash-Scr-HOWTO/restricted-sh.php3

Shows shell scripting with restricted shell, I bet similar methodology works in the /etc/passwd file.

This link shows a non-bash restricted shell that can be installed and used..

http://www.redhat.com/archives/redhat-list/1999-June/msg02059.html

You know, I often forget to check it but you can learn how to do darn near anything at

http://www.tldp.org/

Right now the search on that site is hanging.

Go figure.

SEP

Re: restricted shell access for user acct

Stuart Browne — Tue, 20 May 2003 01:01:05 GMT

You can literally use "/bin/bash -r" in /etc/passwd.

This unfortunately doesn't stop the user from just re-running /bin/bash to get an un-restricted shell however.

Re: restricted shell access for user acct

Steven E. Protter — Tue, 20 May 2003 13:16:01 GMT

Stuart, couldn't he use some kind of chroot() command in the profile to prevent running the normal shell?

Or could he make a copy of the bash shell and restrict permissions on it, use this new users group to prevent re-running the shell?

I think so, I don't know the chroot command very well, but I know you could make a copy of the bash shell and keep that user from executing it.

SEP

Re: restricted shell access for user acct

Stuart Browne — Tue, 20 May 2003 22:23:50 GMT

I guess it depends on what the user is supposed to do in the end.

The issue with 'chroot' is that it literally says "This is now my root directory". Meaning, unless a library is in memory etc. etc., they'll need populated lib,bin,etc (etc.) directories.

Not pretty. If they are just running a custom application, then it's possible. I suppose you could also just created hard-linked structures, but...