How can I restrict the normal user to run only limited set of commands in RHEL?
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
Issue
- Need to restrict the normal users to run only limited set of commands assigned to him/her and all other commands for which normal user have permission to execute by-default, shall not be executed.
E.g: user XYZ can run only gzip
and gunzip
commands.
Resolution
Disclaimer : This is just a hack, not recommended for Actual Production Use
Important Notice
-
The following information has been provided by Red Hat, but is outside the scope of the posted Service Level Agreements and support procedures.
-
The normal user has been given permission to execute some commands which are available in
/bin/
and/usr/local/bin/
, So to remove those permissions and to restrict the user to run only particular set of commands, following steps shall be useful.
1.
Create the restricted shell.
# cp /bin/bash /bin/rbash
2.
Modify the target user for the shell as restricted shell
While creating user:
# useradd -s /bin/rbash localuser
For existing user:
# usermod -s /bin/rbash localuser
For more detailed information on this, please check the KBase Article 8349
Then the user localuser
is chroot
ed and can't access the links outside his home directory /home/localuser
3.
Create a directory under /home/localuser/
, e.g. programs
# mkdir /home/localuser/programs
4.
Now if you check, the user localuser
can access all commands which he/she has allowed to execute. These commands are taken from the environmental PATH
variable which is set in /home/localuser/.bash_profile
. Modify it as follows.
# cat /home/localuser/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
readonly PATH=$HOME/programs
export PATH
Here the PATH
variable is set to ~/programs
directory, as /usr/local/bin
is binded to /home/username/bin
and /bin
is binded to /home/username/bin
so replacing that.
5.
Now after logging with the username localuser
, user cant run a simple command too. The output will be like this,
[localuser@example ~]$ ls
-rbash: ls: command not found
[localuser@example ~]$ less file1
-rbash: less: command not found
[localuser@example ~]$ clear
-rbash: clear: command not found
[localuser@example ~]$ date
-rbash: date: command not found
[localuser@example ~]$ ping redhat.com
-rbash: ping: command not found
6.
Now create the softlinks of commands which are required for user localuser
to execute in the directory /home/localuser/programs
# ln -s /bin/date /home/localuser/programs/
# ln -s /bin/ls /home/localuser/programs/
# ll /home/localuser/programs/
total 8
lrwxrwxrwx 1 root root 9 Oct 17 15:53 date -> /bin/date
lrwxrwxrwx 1 root root 7 Oct 17 15:43 ls -> /bin/ls
Here examples of date and ls commands has been taken
7.
Again login with user localuser
and try to execute the commands.
[localuser@example ~]$ date
Mon Oct 17 15:55:45 IST 2011
[localuser@example ~]$ ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9 programs
[localuser@example ~]$ clear
-rbash: clear: command not found
8.
One more step can be added to restrict the user for making any modifications in their .bash_profile
, as users can change it.
Run the following command to make the user localuser
's .bash_profile
file as immutable so that root/localuser can't modify it until root removes immutable permission from it.
# chattr +i /home/localuser/.bash_profile
To remove immutable tag,
# chattr -i /home/localuser/.bash_profile
Make file .bash_profile as immutable
so that user localuser
can't change the environmental paths.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments