How to Provide Restricted Access to User in Linux using Rbash

We all are familiar with Linux shell. In simplest terms, the shell is a command-line interpreter that provides a command line user interface for Unix-like operating systems.

There are different types of unix shells like Bourne shell (sh), C shell (csh), Bourne-Again shell (bash),Korn shell (ksh), Z shell (zsh), etc.

Among all the shells, bash is the old-fashioned, command-line fossil. Smart DevOps and Sysadmins know pretty well how to make most of it. Often there are times in software development where we want to give a restricted access to users in some environments. Even if they do not have sudo access, we still certainly don’t want those users viewing the important configurations files or any client data.

So how do we achieve that? rshell comes to rescue! Here, in below example we are going to give access to a handful of commands to a newly created user.

Lets start!

Create a symlink called rbash from Bash as shown below. The following commands should be run as root user.

# ln -s /bin/bash /bin/rbash

Next, create an user called “testuser” with rbash as his/her default login shell.

# useradd testuser -s /bin/rbash

Set password to the new user.

# passwd testuser
<give password>

Create a bin directory inside the home folder of the the new user.

# mkdir /home/testuser/bin

Now, we need to specify which commands the user can run.

Here, I am going to let the user to run only “ls”, “mkdir”, and “ping” commands. You can assign any commands of your choice.

To do so, run the following commands:

# ln -s /bin/ls /home/testuser/bin/ls

# ln -s /bin/mkdir /home/testuser/bin/mkdir

# ln -s /bin/ping /home/testuser/bin/ping

# ln -s /bin/ping /home/testuser/bin/scp

— — — — — — — — — — — — — — — — — — — — —— — — — — —
Next, prevent the user from modifying .bash_profile.

# chown root. /home/testuser/.bash_profile

# chmod 755 /home/testuser/.bash_profile

— — — — — — — — — — — — — — — — — — —— — — — — —
Edit /home/testuser/.bash_profile file:

# vi /home/testuser/.bash_profile

Modify the PATH variable like below & save it.Make sure you source it after that for the changes to take effect.

PATH=$HOME/bin

This is it! The new user ‘testuser’ is ready to use the restricted shell.

Keep in mind that rshell implementation should always be accompanied by setting PATH to a value that allows execution of only a few verified commands , leaving the user in a non-writable directory other than his home directory after login and not allowing the restricted shell to execute shell scripts, and cleaning the environment of variables that cause some commands to modify their behavior.

(References : wikipedia, GNU documentation)