How to limit user commands in Linux
@Dodzi Dzakuma solution is great if you only have a few commands that you wish to disable.
However if you only want to allow the user to run several commands, here is a better solution:
Change the user shell to restricted bash
chsh -s /bin/rbash <username>
Create a bin directory under the user home directory
sudo mkdir /home/<username>/bin sudo chmod 755 /home/<username>/bin
Change the user's default PATH to the bin directory
echo "PATH=$HOME/bin" >> /home/<username>/.bashrc echo "export PATH >> /home/<username>/.bashrc
Create symlinks of the command(s) that the user require
sudo ln -s /bin/<command> /home/<username>/bin/
Restrict the user from modifying ~/.bashrc
chattr +i /home/<username>/.bashrc
This is better IF you only want to allow the user to run several commands because instead of setting aliases of ALL commands to disable, you only set the symlink of the commands that you wish to allow.
There are lots of different ways that you could achieve this. I'm going to list one of several possible solutions.
I would propose using several different layers of protection to prevent users from running the commands that they shouldn't be allowed to access. All of the directions here assume that users have their own /home/[username]
directory, that their shell is /bin/bash
, and that you would like them to use the bash shell when they log in to the system.
Change the user's bash to restricted bash mode so that they can't change directories (if you don't have a restricted bash mode on your system, this link will help and give you more information)
chsh -s /bin/rbash [username]
Change directory permissions so that only the user can edit the contents of their home directory
chmod 755 /home/[username]
- Remove the user's
.bashrc
file
rm /home/[username]/.bashrc
This site has more information as to why it might be a good idea to delete the .bashrc
in this situation.
- Create a
.bash_profile
and add "safe" aliases for all the commands that you would like to disable
./bash_profile file example
alias apt-get="printf ''"
alias aptitude="printf ''"
[...]
alias vi="vi -Z" #this is vi's safe mode and shell commands won't be run from within vi
alias alias="printf ''"
A please check the full list of bash commands for more information. You must make sure that the alias alias="printf ''"
command is the last command on the list otherwise you lose your ability to alias all of those commands.
Note
Running the commands below will search for almost all the commands available on your system and output a ready made file will almost all available commands pre-aliased. The [
command is the test
command in bash. So if you see that in the file, it is not an error.
#search /bin and /usr/bin for any commands that exist on our system
ls /bin -1 > commands_on_system.txt && ls /usr/bin -1 >> commands_on_system.txt
#format and save this information to a bash variable
IFS=$'\n' GLOBIGNORE='*' command eval 'COMMANDS_ON_SYSTEM=($(cat ./commands_on_system.txt))'
IFS=$'\n' COMMANDS_ON_SYSTEM=($(sort <<<"${COMMANDS_ON_SYSTEM[*]}"))
unset IFS
#save these commands in aliased format for easy usage
for linux_command in "${COMMANDS_ON_SYSTEM[@]}"
do :
#you can change how this works to automatically
#setup the command file for you
echo "alias ${linux_command}=\"printf ''\"" >> ./startup_functions_for_beginners.sh
done
Disable shell commands in vi by aliasing the vi command to restricted mode
The syntax isalias vi="vi -Z"
, but please see this site for more information.Change the ownership of the user's
.bash_profile
to rootchown root:root /home/[username]/.bash_profile
Finally, remove write permissions on the user's
.bash_profile
chmod 755 /home/[username/.bash_profile]
Now when the users log in they won't be able to change directories, all of the commands that you don't want them to use will output the same information as if the user pressed the [ENTER]
key with no command specified, and your /bin/bash
functions stay intact.
Depending on what functions you choose to or not to alias this way, users may still be able to circumvent some of the controls that you implemented. However, since we implemented a few safety buffers, the user would really have to know about computer systems to do any dangerous.
On a related note and something that you might want to consider, if you directly place these aliases into each and every users' .bash_profile
you would have difficulty maintaining which functions should and shouldn't be aliased, and if you need to change the alias on anything you would have to change all of them individually. Also, since users can use vim
or vi
to view files, they could see the contents of their .bash_profile
and understand what restrictions they have and don't have.
To get around this I would suggest.
- Putting all of the aliases in a directory not accessible by the users (paste the contents of the
.bash_profile
here)
/[path_to_file]/startup_functions_for_beginners.sh
- Sourcing the aliases into their
.bash_profile
improved ./bash_profile file example
if [[ -f /[path_to_file]/startup_functions_for_beginners.sh ]]; then
. /[path_to_file]/startup_functions_for_beginners.sh
fi
This should put you on your way, but remember that there are almost always ways to circumvent restrictions.
Also, feel free to remix the information in this answer to suit your needs. These can most definitely be combined with a number of other restrictions as well.
Q: I need users to have access to fg
and bg
, but I don't want them to be able to access aptitude
or bash
alias apt-get="printf ''" #the user won't be able to run this
alias aptitude="printf ''" #the user won't be able to run this
alias bash="printf ''" #the user won't be able to run this
#alias fg="printf ''" #this will run as a bash built-in
#alias bg="printf ''" #you actually don't need to include these in your script
List of common commands as per this Harvard Website (NOT EXHAUSTIVE)
As you install programs to Linux what you have available to you changes. I suggest that you run the commands listed above in step 4 to help find new commands after they have been installed.
caution should be taken care of with editors because some allow for the excution of shell commands from within the program
nano
emacs
pico
sed
vi
vim
Everything Else
exit
logout
passwd
rlogin
ssh
slogin
yppasswd
mail
mesg
pine
talk
write
as
awk
bc
cc
csh
dbx
f77
gdb
gprof
kill
ld
lex
lint
make
maple
math
nice
nohup
pc
perl
prof
python
sh
yacc
xcalc
apropos
find
info
man
whatis
whereis
cd
chmod
chown
chgrp
cmp
comm
cp
crypt
diff
file
grep
gzip
ln
ls
lsof
mkdir
mv
pwd
quota
rm
rmdir
stat
sync
sort
tar
tee
tr
umask
uncompress
uniq
wc
cat
fold
head
lpq
lpr
lprm
more
less
page
pr
tail
zcat
xv
gv
xpdf
ftp
rsync
scp
alias
chquota
chsh
clear
echo
pbm
popd
pushd
script
setenv
stty
netstat
rsh
ssh
bg
fg
jobs
^y
^z
clock
date
df
du
env
finger
history
last
lpq
manpath
printenv
ps
pwd
set
spend
stty
time
top
uptime
w
who
whois
whoami
gimp
xfig
xv
xvscan
xpaint
kpaint
mplayer
realplay
timidity
xmms
abiword
addbib
col
diction
diffmk
dvips
explain
grap
hyphen
ispell
latex
pdfelatex
latex2html
lookbib
macref
ndx
neqn
nroff
pic
psdit
ptx
refer
roffbib
sortbib
spell
ispell
style
tbl
tex
tpic
wget
grabmode
import
xdpyinfo
xkill
xlock
xterm
xwininfo
html2ps
latex2html
lynx
netscape
sitecopy
weblint