HPE Community
Operating System - Linux
1827882 Members
1209 Online
109969 Solutions
New Discussion

Linux security

 
SOLVED
Go to solution
M.S
Advisor

‎08-20-2008 05:53 AM

‎08-20-2008 05:53 AM

Linux security

Hi All,

How can we restrict a user when he access a linux machine can't go to any folder other than the one that he access to it upon login, also restrict him to use just specific commands and can't use anything else.

Appreciate any help here.

Thanks,
0 Kudos
Reply
8 REPLIES 8
Ivan Krastev
Honored Contributor

‎08-20-2008 06:00 AM

‎08-20-2008 06:00 AM

Re: Linux security

Use restricted shell - http://felipecruz.com/blog_restricte-linux-users-to-their-home.php

regards,
ivan
0 Kudos
Reply
M.S
Advisor

‎08-20-2008 06:32 AM

‎08-20-2008 06:32 AM

Re: Linux security

Hi Ivan,

I'm using rhel5, and i can't find bash2 package. Is it still in use.

Regards,
0 Kudos
Reply
Ivan Krastev
Honored Contributor

‎08-20-2008 06:35 AM

‎08-20-2008 06:35 AM

Solution

Re: Linux security

See RH document - just copy bash to rbash - http://kbase.redhat.com/faq/FAQ_35_3940.shtm

regards,
ivan
Reply
M.S
Advisor

‎08-20-2008 06:45 AM

‎08-20-2008 06:45 AM

Re: Linux security

Hi Ivan,

Thx for your help here, i still have an issue where i want to restrict this to use just specific command. Like just use ping and traceroute and nothing else at all (he can't create read write and do anything other than the predifined commands)

Is there a way to do that

Thx
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-20-2008 02:26 PM

‎08-20-2008 02:26 PM

Re: Linux security

Shalom,

Try chroot


http://www.howtoforge.com/chrooted_ssh_howto_debian

Number of good solutions.

Not easy but air tight secure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Srimalik
Valued Contributor

‎08-20-2008 10:27 PM

‎08-20-2008 10:27 PM

Re: Linux security

What about modifying you system to serve the purpose.

Create two new groups
1) restricted
2) free

restricted: to which all the user whom you want to restrict will belong.

free: all the free and happy users will belong

then create a directory say /rec_bin(or whatever u want to call it) and copy all the commands(to be used by restricted users) from /usr/bin /bin to this directory. make this directory readable and executable by restricted group.

Change the permission of /bin /usr/bin /sbin etc etc. to disallow anybody except the owner and the free group.

In this way the restricted users wont' be able to access all the commands on the system but they will be able to run the commands kept in /rec_bin

Sri
abandon all hope, ye who enter here..
0 Kudos
Reply
Alexander Chuzhoy
Honored Contributor

‎08-20-2008 11:47 PM

‎08-20-2008 11:47 PM

Re: Linux security

Ivan,
Try to run bash from the "rbash" environment. On centos5, users that are logged into rbash are able to switch to bash (where "cd" is not restricted) simply by typing "bash".
I'm not sure whether it was designed that way on purpose...
0 Kudos
Reply
Heironimus
Honored Contributor

‎08-21-2008 08:14 AM

‎08-21-2008 08:14 AM

Re: Linux security

Just changing the shell to rbash isn't sufficient because you need to control what's in $PATH. At a minimum, you need:

1. restricted shell (like rbash)
2. directory with symlinks to permitted commands
3. read-only custom login script to set PATH to only contain that directory of symlinks
4. read-only home directory
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.