A restricted shell limits what a user account can do on Linux. A restricted user cannot change his directory and you control which commands he has access to. Then, explains how to set up a restricted shell on Linux.
Restricted shells
A restricted shell is not a distinct shell. It is a different mode from a standard shell. the Tried, Korn, Pez, and other shells can be started in restricted shell mode. We will use Bash in this post, but the same principles apply to the other shells.
Because restricted shells are just another way to use your standard shell, they are easy to configure. There is nothing to install and they are available wherever Linux is.
Restricted shells can also be applied to scripts. That ensures that any damage they may cause if they are misspelled is confined to the confines of their restricted world and that they do not have access to your entire computer..
Despite this, note that restricted projectiles are not fully leak proof. Someone with enough knowledge can escape a restricted shell. They are great for setting safe limits for a casual user, but don't rely on restricted shells for real world security on a production system.
RELATED: What is the difference between Bash, Zsh and other Linux shells?
Restricted hit
When you run Bash as a restricted shell, user has some capabilities removed. Specifically, the user can not:
- Use
cdto change the working directory. - Change the values of the
$PATH,$SHELL,$BASH_ENV, O$ENVenvironmental variables (but they can read current values). - Read or change
$SHELLOPTSshell environmental options. - Redirect the output of a command.
- Invoke commands that require a path to locate them. In other words, you cannot issue a command that has one or more slashes “
/” in that. - Invoke
execto replace the shell by a different procedure. - Use any of the restricted functions in a script.
You can invoke a restricted bash shell using the -r option (restricted). Trying to perform a simple task such as changing the working directory is prohibited. A laconic message tells you that cd It is restricted.
bash -r
cd Documents
The Bash shell can also detect when it has been invoked using “rbash” instead of “bash”. This also makes it start as a restricted shell. This provides a convenient way to configure the default shell for a particular user, that we will use soon.
If we use the whereis command in Ubuntu to search for the rbash records, we will see that the executable is in the directory “usr / bin”. The man page is in the directory “/ usr / share / man / man1”.
Using the ls command with the -l The option (long) reveals that rbash is actually a symbolic link to bash .
whereis rbash
ls -l /usr/bin/rbash
In Manjaro and Fedora, the rbash You had to create a symbolic link. This works on both distributions:
whereis rbash
sudo ln -s /bin/bash /bin/rbash
whereis rbash
The second time we use the whereis command, find rbash in the directory “/ usr / bin”.
Restricting a user
Let's create a new user account called “Minnie”. We will configure your shell to be the constrained shell using the -s (shell) option of the useradd command. We will also configure the account password using thepasswd command, and we will create a home folder for them.
the -p (parents) flag in the mkdir the command says mkdir to create the target directory and any parent directory you need to create in addition. Then, when creating the directory “/ home / minnie / bin”, we create the directory “/ home / minnie” at the same time.
sudo useradd minnie -s /bin/rbash
sudo passwd minnie
sudo mkdir -p /home/minnie/bin
When minnie log in, will run in a restricted shell.
cd
You cannot invoke commands that must include a forward slash “/“:
/usr/bin/ping
Despite this, you can still run commands found in the path.
ping
That is not the behavior I could have expected, and it's certainly not what we want. To further tighten the restrictions, we need to change the path that minnie's shell will use to search for commands.
Tightening the restrictions
When we created minnie's home directory “/ home / minnie”, we also create a directory “/ home / minnie / bin”. This is where that directory comes into play.
Let's edit the file “.bash_profile” of minnie and determine its path to point only to that directory. We will also restrict minnie's ".bash_profile" file so that only root can edit it. That means no other user can edit that file and change its path..
sudo gedit /home/minnie/.bash_profile
Edit the “PATH =” existing or add the next line:
PATH=$HOME/bin
Save the file. Well change the owner of the file root using the chown command and change file permissions using the chmod command. Only the root user will be able to edit the file.
sudo chown root:root /home/minnie/.bash_profile
sudo chmod 755 /home/minnie/.bash_profile
ls -l /home/minnie/.bash_profile
The next time the minnie user logs in, its path points to a single folder.
Our restricted user minnie can only use built-in Bash commands like echo, alias, and logout. She can't even use ls!
ls
Tendremos que aflojar un poco nuestro dominio si queremos que puedan hacer algo útil. Crearemos algunos links simbólicos desde el directorio “bin” de minnie a los comandos que queremos que minnie pueda utilizar.
sudo ln -s /bin/ls /home/minnie/bin
sudo ln -s /bin/top /home/minnie/bin
sudo ln -s /bin/uptime /home/minnie/bin
sudo ln -s /bin/pinky /home/minnie/bin
Next time minnie logs in, You will find that you can use the built-in Bash commands, at the same time of the commands to which they have been linked.
ls
pinky dave
uptime
Restricting existing users
We create minnie as a new user. For change the shell of an existing Username, we can use the -s (shell) option of the usermod command.
sudo usermod -s /bin/rbash mary
You can use the less command in the file “/ etc / passwd ”to quickly see which shell is set as the user's default shell.
less /etc/passwd
We can see that user mary will use restricted shell next time login.
Remember to apply the other changes to restrict your $PATH environment variable and to set the commands you want user mary to be able to execute.
Script restriction
A normal, unrestricted user can start scripts that run in a restricted shell. Copy the following lines and paste them into an editor. Save the file as “restricto.sh” y cierre el editor.
#!/bin/bash # script starts in normal Bash shell echo "## In UNrestricted mode! ##" echo echo "Current directory: `pwd`" echo "Changing directory" cd /usr/share echo "Now in directory: `pwd`" echo "Changing to home directory" cd ~ echo "Now in directory: `pwd`" # Setting restricted mode set -r echo echo "## In restricted mode! ##" echo echo "Current directory: `pwd`" echo "Changing directory to /home/" cd /home echo "Still in directory: `pwd`" echo echo "Trying to start another shell" /bin/bash echo echo "Trying to redirect command output" ls -l $HOME > my_files.txt cat my_files.txt echo exit 0
We need to use the chmod command with the +x (run) marca para hacer que el script sea ejecutable.
chmod +x restricted.sh
The first part of the script runs in a normal shell.
./restricted.sh
The second part of the script, the bit that follows the line “set -r”, runs in a restricted shell.
None of the attempted actions are successful in the restricted part of the script.
A full script can be made to run in a restricted shell by adding -r to the first line:
!#/bin/bash -r
Remember Houdini
Restricted projectiles are useful, but not totally infallible. A sufficiently trained user can escape them. But when used wisely, are a useful way to determine a set of limitations for a particular account.
setTimeout(function(){
!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq = n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s) } (window, document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘335401813750447’);
fbq(‘track’, ‘PageView’);
},3000);
