Linux users are accustomed to the flexibility of the command line. But what if you need to restrict a user’s access to certain commands? Restricted shell (RSH) can help. RSH is a command line tool that allows you to restrict a user’s access to specific commands. For example, you could use RSH to allow a user only the ls and cd commands. This would help protect that user from accidentally accessing files or folders they shouldn’t. To use RSH, first open a terminal window by clicking on the “Terminal” icon in your desktop or Start menu and typing “terminal.” Next, type the following command: ssh username@server ..
Restricted Shells
A restricted shell isn’t a different shell. It’s a different mode of a standard shell. The Bash, Korn, Fish, and other shells can all be started in restricted shell mode. We’ll be using Bash in this article, but the same principles apply to the other shells.
Because restricted shells are just another way of using your standard shell, they are easy to set up. There’s nothing to install, and they’re available wherever Linux is.
Restricted shells can be applied to scripts, too. That ensures that any damage they may cause if they’ve been written incorrectly is limited to the confines of their restricted world and that they don’t have access to your entire computer.
Be aware, though, that restricted shells are not completely escape-proof. Someone with enough knowledge can escape a restricted shell. They’re great for putting safe boundaries on a casual user, but don’t rely on restricted shells for any real-world security on a production system.
RELATED: What’s the Difference Between Bash, Zsh, and Other Linux Shells?
Restricted Bash
When you run Bash as a restricted shell, the user has some capabilities removed from them. Specifically, the user cannot:
Use cd to change the working directory. Change the values of the $PATH , $SHELL , $BASH_ENV , or $ENV environmental variables (but they can read the current values). Read or change $SHELLOPTS shell environmental options. Redirect the output of a command. Invoke commands that require a path to locate them. That is, you can’t issue a command that has one or more forward slashes “/” in it. Invoke exec to substitute a different process for the shell. Use any of the restricted features in a script.
You can invoke a restricted Bash shell by using the -r (restricted) option. Trying to do a simple task like changing the working directory is forbidden. A terse message tells you that cd is restricted.
The Bash shell can also detect when it has been invoked using “rbash” instead of “bash.” This causes it to start as a restricted shell, too. This provides a convenient way to set the default shell for a particular user, which we’ll use soon.
If we use the whereis command on Ubuntu to look for the rbash files, we’ll see that the executable is in the “usr/bin” directory. The man page is in “/usr/share/man/man1” directory.
Using the ls command with the -l (long) option reveals that rbash is actually a symbolic link to bash .
On Manjaro and Fedora, the rbash symbolic link had to be created. This works on both distributions:
The second time we use the whereis command, it finds rbash in the “/usr/bin” directory.
Restricting a User
Let’s create a new user account named “Minnie.” We’ll set their shell to be the restricted shell using the -s (shell) option of the useradd command. We’ll also set the account’s password using thepasswd command, and we’ll create a home folder for them.
The -p (parents) flag in the mkdir command tells mkdir to create the target directory and any parent directories that it needs to create, too. So by creating the “/home/minnie/bin” directory, we create the “/home/minnie” directory at the same time.
When minnie logs in, she will be running in a restricted shell.
She cannot invoke commands that need to include a forward slash “/“:
However, she can still execute commands that are found in the path.
That’s not the behavior you might have expected, and it certainly isn’t what we want. To tighten the restrictions further, we need to change the path that minnie’s shell will use to look for commands.
Tightening the Restrictions
When we created minnie’s home directory “/home/minnie”, we also created a “/home/minnie/bin” directory. This is where that directory comes into play.
We’re going to edit minnie’s “.bash_profile” file and set her path to point to that directory only. We’ll also restrict minnie’s “.bash_profile” file so that only root can edit it. That means that no other user can edit that file and change her path.
Either edit the existing “PATH=” or add the following line:
Save the file. We’ll change the owner of the file to root using the chown command and change the file permissions using the chmod command. Only the root user will be able to edit the file.
The next time user minnie logs in, her path points to a single folder.
Our restricted user minnie can only use Bash built-in commands like echo, alias, and logout. She can’t even use ls!
We’ll need to slacken our stranglehold a little if we want them to be able to do anything useful at all. We’ll create some symbolic links from minnie’s “bin” directory to the commands that we want minnie to be able to use.
When minnie next logs in, she’ll find that she can use the Bash built-in commands, plus those commands that have been linked to.
Restricting Existing Users
We created minnie as a new user. To change the shell of an existing user, we can use the -s (shell) option of the usermod command.
You can use the less command on the “/etc/passwd” file to quickly see what shell is set as a user’s default shell.
We can see that user mary will use the restricted shell when she next logs in.
Remember to apply the other changes to restricts their $PATH environment variable and to set the commands you want the user mary to be able to execute.
Restricting Scripts
A regular, unrestricted user can launch scripts that are executed in a restricted shell. Copy the following lines and paste them into an editor. Save the file as “restricted.sh” and close the editor.
We need to use the chmod command with the +x (execute) flag to make the script executable.
The first part of the script runs in a normal shell.
The second portion of the script—the bit after the “set -r” line—runs in a restricted shell.
None of the attempted actions succeed in the restricted portion of the script.
An entire script can be made to run in a restricted shell by adding -r to the first line:
Remember Houdini
Restricted shells are useful, but not completely infallible. A sufficiently skilled user may be able to escape them. But when used judiciously, they are a useful way to establish a set of limitations for a particular account.