Restricting Guest Users
The material concerning the restricted shell in this recipe also appears in Learning the bash Shell by Cameron Newman (O’Reilly).
Problem
You need to allow some guest users on your system and need to restrict what they can do.
Solution
Avoid using shared accounts if possible, since you lose accountability and create logistical headaches when users leave and you need to change the password and inform the other users. Create separate accounts with the least possible permissions necessary to do whatever is needed. Consider using:
A chroot jail, as discussed in Using chroot Jails
SSH to allow non-interactive access to commands or resources, as discussed in Using SSH Without a Password
bash’s restricted shell
Discussion
The restricted shell is designed to put the user into an environment where their ability to move around and write files is severely limited. It’s usually used for guest accounts. You can make a user’s login shell restricted by putting rbash in the user’s /etc/passwd entry if this option was included when bash was compiled.
The specific constraints imposed by the restricted shell disallow the user from doing the following:
Changing working directories: cd is inoperative. If you try to use it, you will get the error message from bash
cd:restricted.Redirecting output to a file: the redirectors >, >|, <>, and >> are not allowed.
Assigning a new value to the environment variables
$ENV,$BASH_ENV,$SHELL, or$PATH.Specifying any commands with slashes (/) in them. ...
Get bash Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
