Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

restrict user process

Tommy Wang
Occasional Advisor

restrict user process

I would like to create an user account to run few commands which I allow to run , and the account cannot browser to other directories excepts it's home directory.
Any help should be highly appreciated.
7 REPLIES
Andy Monks
Honored Contributor

Re: restrict user process

You'll want to use a restricted shell then. Either use rsh or rksh
Tommy Wang
Occasional Advisor

Re: restrict user process

Thanks, Is there any instruction which could teach me how to set restriction on both shells?
Andreas Voss
Honored Contributor

Re: restrict user process

Hi,

simply change the default shell in /etc/passwd.
Ie.:
user:wRsdz.Rx4zueQ:200:20::/home/user:/bin/rsh

Cheers

Andrew
Andy Monks
Honored Contributor

Re: restrict user process

either create a new use with sam or useradd.

There is some info on rsh/rksh in the sh and ksh man pages.

using rsh you can't do :-

change directory
set the PATH environment variable
specify path or command names containing '/'
redirect output
Bill Hassell
Honored Contributor

Re: restrict user process

Actually, the restricted shell is pretty difficult to use. The restricted shell (rsh or rksh) will use chroot to change to the user's $HOME which then becomes / for that user. There is no /usr or /opt and not even /etc. So once logged in using a restricted shell, the user has no commands available. The users cannot change directories upwards because they are already in the / directory as far as their shell is concerned.

So you have to create a $HOME/usr directory and put the selected commands into that directory and make sure $PATH is set to a meaningful list...most of the standard $PATH is inaccessible in the restricted shell.

But wait, there's more restrictions. If a command needs a configuration file in /etc to run correctly, those file(s) must also be copied to the user's $HOME, under a new directory called $HOME/etc and if the config file(s) refer to other files, these will likely have to be copied too. Then there's the problem of running a program, such as a database client. The client may need to open files that are not in the user's $HOME..

As you tell, the restricted shell is not that easy to make useful. However, their is an easier alternative: change the user's shell to a program that you write which offers the necessary commands in a menu. You can even use a shell script but you must be careful to trap all signals to prevent escaping from the shell program with CTRL-C or other interrupts. Something like this:

trap "exit" 0 1 2 3 15

And as with all tasks in Unix, if there aren't 3 or more ways to do the same thing, you haven't tried hard enough:

Choice 3: In /etc/profile, you can test for the user(s) login names, then exec a program rather than completing the /etc/profile script. Be sure to exec rather than run the command so the user will not return to /etc/profile when the command is done. For example:

if [ $(whoami) = blh ]
then
echo "leaving /etc/profile"
exec sleep 5
fi

In the above example, sleep 5 is the program to run, and any attempt to break out will fail. When the program is done (sleep for 5 seconds), the session terminates. In this case, no changes are needed for the user's shell, just edit /etc/profile.


Bill Hassell, sysadmin
RikTytgat
Honored Contributor

Re: restrict user process

Bill,

I'm afraid you're wrong!

In restricted shell, you can execute all commands in your PATH. So, if /usr/bin is in your path, the restricted user can run any of the commands in /usr/bin.

Also, no chroot is done. The /etc is available (one can even list is). When doing an ls -l /etc, all usernames and groupnames are listed, so there IS access to /etc/passwd.

The limitations of a restricted shell are exactly what Andy says in his reply.

Bye,
Rik
Alan Riggs
Honored Contributor

Re: restrict user process

Bill may be incorrect in the details, but his main point is worth noting. Because rsh/rksh prevent any path names from being specified absolutely, many client applications will not be able to start properly. This can affet SAP programs, database clients, etc. Sometimes, it may be possible to edit the startup scripts to allow rsh functionality, but it is often neither guaranteed nor trivial to do so.

However, if your users dp not need access to those kind of apps then rsh/rksh is a fine solution. It does provide the restrictions Andy specified. One note: make sure to create the /usr/rbin directory and place only the commands you want the user to have access to in that directory. Then modify the user's path appropriately. If you give them access to /usr/bin they have vi, which will allow them to read in and execute files using absolute paths. The red editor can be provided for users that need a text editor.