A limited shell limits what a user account can do on Linux. A restricted user cannot change their directory and you control which commands they can access. Here̵
A limited scale is not another scale. It’s a different mode from a standard shell. The Bash, Korn, Fish and other shells can all be started in the limited shell mode. We’ll be using Bash in this article, but the same principles apply to the other shells.
Since limited shells are just another way to use your default shell, they are easy to set up. You don’t need to install anything and they are available wherever Linux is.
Limited shells can also be applied to scripts. That ensures that any damage they can cause if they are misspelled is limited to the confines of their limited world and that they cannot access your entire computer.
However, keep in mind that limited grenades are not completely escape proof. Someone with sufficient knowledge can escape a limited scale. They’re great for setting secure boundaries for an occasional user, but don’t rely on limited shells for true security on a production system.
RELATED: What’s the difference between Bash, Zsh and other Linux shells?
When you run Bash as a restricted shell, the user has removed some features from it. Specifically the user can not
cdto change the workbook.
- Change the values of the
$ENVenvironment variables (but they can read the current values).
- Read or change
$SHELLOPTSshell environmental options.
- Redirect the output of a command.
- Invoke commands that require a path to find them. That is, you cannot issue a command with one or more slashes “
/” in the.
execto replace the shell with another process.
- Use one of the limited functions in a script.
You can invoke a restricted Bash shell by using the
-r (limited) option. It is prohibited to perform a simple task such as changing the workbook. A short message tells you that
cd is limited.
The Bash shell can also detect when it was called with ‘rbash’ instead of ‘bash’. This also makes it start as a limited shell. This provides an easy way to set the default shell for a particular user, which we’ll be using shortly.
If we use the
whereis command on Ubuntu to search for the
rbash files, we will see that the executable is in the “usr / bin” directory. The man page is in the directory “/ usr / share / man / man1”.
ls command with the
-l (long) option shows that
rbash is actually a symbolic link to
ls -l /usr/bin/rbash
On Manjaro and Fedora, the
rbash symbolic link had to be made. This works on both distributions:
sudo ln -s /bin/bash /bin/rbash
The second time we run the
whereis command, finds it
rbash in the folder “/ usr / bin”.
Restrict a user
Let’s create a new user account called ‘Minnie’. We will set their shell as the constrained shell using the
-s (shell) option of the
useradd order. We will also set the account password with the
passwd command, and we’ll create a home folder for them.
-p (parents) flag in the
mkdir command tells
mkdir to create the target directory and any parent directories it should create as well. So by creating the folder “/ home / minnie / bin”, we create the folder “/ home / minnie” at the same time.
sudo useradd minnie -s /bin/rbash
sudo passwd minnie
sudo mkdir -p /home/minnie/bin
When Minnie logs in, she is running in a restricted shell.
She cannot use commands that must contain a slash “
However, she can still execute commands found in the path.
That’s not the behavior you might have expected, and it’s certainly not what we want. To tighten the restrictions further, we need to change the path that Minnie’s shell will use to search for commands.
Tightening of the restrictions
When we created minnie’s home directory “/ home / minnie”, we also created a directory “/ home / minnie / bin”. This is where that map comes into play.
We’re going to edit Minnie’s “.bash_profile” file and set her path to point to that folder only. We will also restrict Minnie’s “.bash_profile” file so that only root can edit it. That means no other user can edit that file and change its path.
sudo gedit /home/minnie/.bash_profile
Edit the existing “PATH =” or add the following line:
Save the file. We will change the owner of the file to root using the
chown command and change the file permissions with the
chmod order. Only the root user can edit the file.
sudo chown root:root /home/minnie/.bash_profile
sudo chmod 755 /home/minnie/.bash_profile
ls -l /home/minnie/.bash_profile
The next time user minnie logs in, her path points to a single directory.
Our limited user minnie can only use built-in Bash commands such as
logoutShe can’t even use it
We’ll have to relax our stranglehold a bit if we want them to be able to do anything useful at all. We will create some symbolic links from Minnie’s “bin” directory to the commands we want Minnie to use.
sudo ln -s /bin/ls /home/minnie/bin
sudo ln -s /bin/top /home/minnie/bin
sudo ln -s /bin/uptime /home/minnie/bin
sudo ln -s /bin/pinky /home/minnie/bin
The next time Minnie logs in, she will find she can use the built-in Bash commands, plus the commands associated with them.
Restrict existing users
We created minnie as a new user. To change the shell of an existing user, we can use the
-s (shell) option of the
sudo usermod -s /bin/rbash mary
You can use the
less command in the “/ etc / passwd” file to quickly see which shell is set as a user’s default shell.
We can see that user Mary will use the restricted shell the next time she logs in.
Don’t forget to apply the other changes to their
$PATH environment variable and to set the commands you want the user mary to run.
A regular, unrestricted user can run scripts that run in a restricted shell. Copy the following lines and paste them into an editor. Save the file as “restricted.sh” and close the editor.
#!/bin/bash # script starts in normal Bash shell echo "## In UNrestricted mode! ##" echo echo "Current directory: `pwd`" echo "Changing directory" cd /usr/share echo "Now in directory: `pwd`" echo "Changing to home directory" cd ~ echo "Now in directory: `pwd`" # Setting restricted mode set -r echo echo "## In restricted mode! ##" echo echo "Current directory: `pwd`" echo "Changing directory to /home/" cd /home echo "Still in directory: `pwd`" echo echo "Trying to start another shell" /bin/bash echo echo "Trying to redirect command output" ls -l $HOME > my_files.txt cat my_files.txt echo exit 0
We need the
chmod command with the
+x (execute) flag to make the script executable.
chmod +x restricted.sh
The first part of the script runs in a normal shell.
The second part of the script – the bit after the line “set -r” – runs in a restricted shell.
None of the actions performed succeed in the restricted portion of the script.
A full script can be run in a limited shell by adding
-r to the first line:
Limited shells are helpful, but not completely foolproof. A sufficiently skilled user can escape it. But when used judiciously, they are a useful way to establish a range of restrictions for a particular account.