قالب وردپرس درنا توس
Home / Tips and Tricks / Using limited shell to limit what a Linux user can do

Using limited shell to limit what a Linux user can do

A terminal window on a Linux system.
Fatmawati Achmad Zaenuri / Shutterstock

A limited shell limits what a user account can do on Linux. A restricted user cannot change their directory and you control which commands they can access. Here̵

7;s how to set up a restricted shell on Linux.

Limited shells

A limited scale is not another scale. It’s a different mode from a standard shell. The Bash, Korn, Fish and other shells can all be started in the limited shell mode. We’ll be using Bash in this article, but the same principles apply to the other shells.

Since limited shells are just another way to use your default shell, they are easy to set up. You don’t need to install anything and they are available wherever Linux is.

Limited shells can also be applied to scripts. That ensures that any damage they can cause if they are misspelled is limited to the confines of their limited world and that they cannot access your entire computer.

However, keep in mind that limited grenades are not completely escape proof. Someone with sufficient knowledge can escape a limited scale. They’re great for setting secure boundaries for an occasional user, but don’t rely on limited shells for true security on a production system.

RELATED: What’s the difference between Bash, Zsh and other Linux shells?

Limited bash

When you run Bash as a restricted shell, the user has removed some features from it. Specifically the user can not

  • Use cd to change the workbook.
  • Change the values ​​of the $PATH $SHELL $BASH_ENV , or $ENV environment variables (but they can read the current values).
  • Read or change $SHELLOPTS shell environmental options.
  • Redirect the output of a command.
  • Invoke commands that require a path to find them. That is, you cannot issue a command with one or more slashes “/” in the.
  • Invoke exec to replace the shell with another process.
  • Use one of the limited functions in a script.

You can invoke a restricted Bash shell by using the -r (limited) option. It is prohibited to perform a simple task such as changing the workbook. A short message tells you that cd is limited.

bash -r
cd Documents

The Bash shell can also detect when it was called with ‘rbash’ instead of ‘bash’. This also makes it start as a limited shell. This provides an easy way to set the default shell for a particular user, which we’ll be using shortly.

If we use the whereis command on Ubuntu to search for the rbash files, we will see that the executable is in the “usr / bin” directory. The man page is in the directory “/ usr / share / man / man1”.

The habits ls command with the -l (long) option shows that rbash is actually a symbolic link to bash

whereis rbash
ls -l /usr/bin/rbash

On Manjaro and Fedora, the rbash symbolic link had to be made. This works on both distributions:

whereis rbash
sudo ln -s /bin/bash /bin/rbash
whereis rbash

The second time we run the whereis command, finds it rbash in the folder “/ usr / bin”.

Restrict a user

Let’s create a new user account called ‘Minnie’. We will set their shell as the constrained shell using the -s (shell) option of the useradd order. We will also set the account password with thepasswd command, and we’ll create a home folder for them.

The -p (parents) flag in the mkdir command tells mkdir to create the target directory and any parent directories it should create as well. So by creating the folder “/ home / minnie / bin”, we create the folder “/ home / minnie” at the same time.

sudo useradd minnie -s /bin/rbash
sudo passwd minnie
sudo mkdir -p /home/minnie/bin

When Minnie logs in, she is running in a restricted shell.


She cannot use commands that must contain a slash “/


However, she can still execute commands found in the path.


That’s not the behavior you might have expected, and it’s certainly not what we want. To tighten the restrictions further, we need to change the path that Minnie’s shell will use to search for commands.

Tightening of the restrictions

When we created minnie’s home directory “/ home / minnie”, we also created a directory “/ home / minnie / bin”. This is where that map comes into play.

We’re going to edit Minnie’s “.bash_profile” file and set her path to point to that folder only. We will also restrict Minnie’s “.bash_profile” file so that only root can edit it. That means no other user can edit that file and change its path.

sudo gedit /home/minnie/.bash_profile

Edit the existing “PATH =” or add the following line:


Save the file. We will change the owner of the file to root using the chown command and change the file permissions with the chmod order. Only the root user can edit the file.

sudo chown root:root /home/minnie/.bash_profile
sudo chmod 755 /home/minnie/.bash_profile
ls -l /home/minnie/.bash_profile

The next time user minnie logs in, her path points to a single directory.

Our limited user minnie can only use built-in Bash commands such as echo alias, and logoutShe can’t even use it ls


We’ll have to relax our stranglehold a bit if we want them to be able to do anything useful at all. We will create some symbolic links from Minnie’s “bin” directory to the commands we want Minnie to use.

sudo ln -s /bin/ls /home/minnie/bin
sudo ln -s /bin/top /home/minnie/bin
sudo ln -s /bin/uptime /home/minnie/bin
sudo ln -s /bin/pinky /home/minnie/bin

The next time Minnie logs in, she will find she can use the built-in Bash commands, plus the commands associated with them.

pinky dave

Restrict existing users

We created minnie as a new user. To change the shell of an existing user, we can use the -s (shell) option of the usermod order.

sudo usermod -s /bin/rbash mary

You can use the less command in the “/ etc / passwd” file to quickly see which shell is set as a user’s default shell.

less /etc/passwd

We can see that user Mary will use the restricted shell the next time she logs in.

Don’t forget to apply the other changes to their $PATH environment variable and to set the commands you want the user mary to run.

Restrict scripts

A regular, unrestricted user can run scripts that run in a restricted shell. Copy the following lines and paste them into an editor. Save the file as “restricted.sh” and close the editor.


# script starts in normal Bash shell
echo "## In UNrestricted mode! ##"

echo "Current directory: `pwd`"
echo "Changing directory"
cd /usr/share
echo "Now in directory: `pwd`"
echo "Changing to home directory"
cd ~
echo "Now in directory: `pwd`"

# Setting restricted mode
set -r

echo "## In restricted mode! ##"

echo "Current directory: `pwd`"
echo "Changing directory to /home/"
cd /home
echo "Still in directory: `pwd`"

echo "Trying to start another shell"

echo "Trying to redirect command output"
ls -l $HOME > my_files.txt
cat my_files.txt

exit 0

We need the chmod command with the +x (execute) flag to make the script executable.

chmod +x restricted.sh

The first part of the script runs in a normal shell.


The second part of the script – the bit after the line “set -r” – runs in a restricted shell.

None of the actions performed succeed in the restricted portion of the script.

A full script can be run in a limited shell by adding -r to the first line:

!#/bin/bash -r

Remember Houdini

Limited shells are helpful, but not completely foolproof. A sufficiently skilled user can escape it. But when used judiciously, they are a useful way to establish a range of restrictions for a particular account.

Source link