LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2001, 02:25 PM   #1
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Rep: Reputation: 0
Post limit access


Hi, I am trying to configure an account on my box so they cant move down a level "cd ..". I just want them to have access to their home dir and anything they make in that dir, any help would be great. than in advance.
 
Old 10-01-2001, 03:07 PM   #2
d3funct
Member
 
Registered: Jun 2001
Location: Centralia, WA
Posts: 274

Rep: Reputation: 31
do a man on bash and look at the "-r" flag. This is a "restricted shell":

RESTRICTED SHELL
If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:
changing directories with cd
setting or unsetting the values of SHELL, PATH,ENV, or BASH_ENV
specifying command names containing /
specifying a file name containing a / as an argument to the . builtin command
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
importing function definitions from the shell environment at startup
parsing the value of SHELLOPTS from the shell environment at startup
. redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
using the exec builtin command to replace the shell with another command
adding or deleting builtin commands with the -f and -d options to the enable builtin command
specifying the -p option to the command builtin command
turning off restricted mode with set +r or set +o restricted.

These restrictions are enforced after any startup files are read. When a command that is found to be a shell script is executed (see COMMAND EXECUTION above), rbash turns off any restrictions in the shell spawned to execute the script.
 
Old 10-01-2001, 03:59 PM   #3
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Original Poster
Rep: Reputation: 0
thanx

cool thanx it works by just changing bash at the cli but would you know where to put bash -r so it executes when the user logs in?
 
Old 10-01-2001, 04:09 PM   #4
d3funct
Member
 
Registered: Jun 2001
Location: Centralia, WA
Posts: 274

Rep: Reputation: 31
Put it in /etc/passwd so it looks like this

username:x:500:500:User Name:/home/username:/bin/rbash

You can use rbash or bash -r according to the manpage, if you want to use "bash -r" you'll have to put /bin/bash -r in quotes "/bin/bash -r".

Hope this helps.
 
Old 10-01-2001, 04:32 PM   #5
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Original Poster
Rep: Reputation: 0
Post hmmm

now when i try to login it says invalid un or password, i tried both ways with rbash and bash -r just like you said. so i changed it back to the way it was and i can loging again hmm what do you think the problem is? its redhat 7.1
 
Old 10-01-2001, 04:47 PM   #6
d3funct
Member
 
Registered: Jun 2001
Location: Centralia, WA
Posts: 274

Rep: Reputation: 31
OK, lets create a file called "rbash"

Su to root and do:
vi /bin/rbash

The script will look like this

#!/bin/bash
bash -r
#run restricted bash

Quit and save that with wq.

Now edit /etc/passwd and give the user /bin/rbash for their new shell instead of /bin/bash.

This will work, I just tested it myself. Any problems drop me an e-mail.
 
Old 10-01-2001, 04:53 PM   #7
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Original Poster
Rep: Reputation: 0
YES

yes thank you i ran into a small prob but figured out i didnt give the file the right permissions but now its all set thank you so much.
 
Old 10-01-2001, 05:00 PM   #8
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Original Poster
Rep: Reputation: 0
Post hehehe

hehehe all i have to do now is type "bash" as that user and im back to regualr bash? I could just restrict everyone except root to using that command? what would you suggest? because i would have to do that for every shell type like bash2 and sh.
 
Old 10-01-2001, 05:10 PM   #9
d3funct
Member
 
Registered: Jun 2001
Location: Centralia, WA
Posts: 274

Rep: Reputation: 31
I'd suggest moving commands like "ls, mv, cp, etc.." to /usr/local/bin and then changing the users path so that they don't have path access to /bin or /sbin.
 
Old 10-01-2001, 05:18 PM   #10
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Original Poster
Rep: Reputation: 0
cool

sounds good do you know how to change the path for users thats somthing ive always wanted to know how to do, also it wouldnt matter if i did that would it all they have to do is type /sbin/command and that would do the same thing yes no?
 
Old 10-01-2001, 05:25 PM   #11
d3funct
Member
 
Registered: Jun 2001
Location: Centralia, WA
Posts: 274

Rep: Reputation: 31
the restricted shell invalidates absolute path commands(/usr/bin/foo) from being executed.
To change the users path, just edit their .bash_profile to make sure they aren't pointing to any directories they shouldn't be in, then copy /etc/profile to /etc/profile.orig. Edit /etc/profile and remove paths to directories you don't want accessed. Make sure that root has all directories in his path that are needed and copy the /etc/profile.orig to root's directory for safe keeping.
 
Old 10-01-2001, 05:47 PM   #12
flex411
LQ Newbie
 
Registered: Apr 2001
Posts: 18

Original Poster
Rep: Reputation: 0
thanx again

good stuff i havnt done it yet and am sure ill run into trouble when i try but ill keep trying untill i get it an update ya with a status.
 
Old 03-09-2004, 07:32 AM   #13
netxn
LQ Newbie
 
Registered: Mar 2004
Posts: 1

Rep: Reputation: 0
RH9 box, x86............Sorry to bring back an old thread....

========================
#!/bin/bash
bash -r .........OK
========================
I modified /etc/passwd ......OK
baduser:.........................:/bin/rbash
========================

root$ ssh localhost -l baduser
pass: ******
Welcome to rbash
baduser$
baduser$ ls
not found
baduser$ cd /
restricted
baduser$ /bin/bash
restricted
baduser$ bash
not found
baduser$ tcsh
not found

questions:
========

I would like to copy some commands (ls, mv, cp, joe, pico, lynx, pine)
(symbolic links to /bin/...) to "/restricted" then set the baduser path....
PATH=/restricted
I tried to create a new file ".bash_profile" on baduser's home
directory with this content:

================
PATH=/restricted
================
but rbash is ignoring this file, when I do this:
baduser$
baduser$ set
..... path variable is not there

.....
then I tried to create a new /etc/profile and new /etc/bashrc
but same problem, path variable is not there...

Thanks

Last edited by netxn; 03-09-2004 at 07:36 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can I limit time access with pam hichem Linux - Security 4 11-17-2005 01:58 AM
limit user access Pacux Slackware 10 10-17-2005 07:52 AM
How do I limit Internet access? jmelgin Linux - Newbie 12 07-06-2005 05:07 PM
Limit access with Apache lothario Linux - Security 1 01-24-2005 01:53 AM
Block ports and limit access esears Linux - Security 2 06-09-2004 01:45 AM


All times are GMT -5. The time now is 09:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration