[Ilugc] how to restrict the users, from running some specific commands.
- From: kanagaraj.rk@xxxxxxxxx (RK RK)
- Date: Mon, 5 Nov 2012 15:26:36 +0530
On Mon, Nov 5, 2012 at 2:56 PM, Arun Khan <knura9 at gmail.com> wrote:
On Mon, Nov 5, 2012 at 2:01 PM, Karthikeyan Venkatraman
<vgkarthick.78 at gmail.com> wrote:
On Sun, Nov 4, 2012 at 12:50 PM, ravi jaya <ravijaya.list at gmail.com>
wrote:
Hello everybody,
I am trying to learn, how could I restrict the users, from running
the
specific commands. like rm or rmdir or anything else in this case.
On the other hand I am trying to look into rbash the restricted
shell, whether, any thing good it can do for this requirement
In Ubuntu edit the sudoers file in /etc folder, you can come across allow
members of group sudo to execute any command. There you insert a new text
"username ALL=(ALL) NOPASSWD: command path to execute like /sbin/shutdown
etc..".
Also make sure the user is in standard account privilege.
I would add one more thing - create a group, restrict this group to
the set of commands. Make it the primary group for all users under
such restriction.
Hi Ravi,
Go through the below steps,
1. Create the restricted shell
cp /bin/bash /bin/rbash
2. Modify the target user for the shell as restricted shell
for new user
useradd -s /bin/rbash localuser
for existing user
usermod -s /bin/rbash localuser
3. Create a directory under /home/localuser, e.g. programs
mkdir /home/localuser/programs
4. Now if you check, the user localuser can access all commands which
he/she has allowed to execute. These commands are taken from the
environmental PATH variable which is set in
/home/localuser/.bash_profileModify it as follows.
# cat /home/localuser/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$HOME/programs
export PATH
Here the PATH variable is set to ~/programs directory, as /usr/local/bin is
binded to /home/username/bin and /bin is binded to /home/username/bin so
replacing that
5. Now after logging with the username localuser, user cant run a simple
command too. The output will be like this,
6. Now create the softlinks of commands which are required for user
localuser to execute in the directory /home/localuser/programs
ln -s /bin/date /home/localuser/programs/
ln -s /bin/ls /home/localuser/programs/
now user can execute only date and ls command. likewise you add the
commands you want
--
With Regards,
RK,
+91 9840483044
Other related posts:
