Unix & Linux Stack Exchange

Q&A for users of Linux, FreeBSD and other Unix-like operating systems

Latest Questions

1 votes

2 answers

2052 views

How to restrict a jump user (into openSSH jumpbox) to only SSH to another server?

My Goal: restrict a jump users (into OpenSSH jumpbox) to only SSH to another server. Users should not be able to list directories, cd or anything else except ssh from jumpbox to another server. What I have: - Active directory users login into jump server then SSH to other servers - OpenSSH jump serv...

Match User testuser
  AllowTcpForwarding yes
  X11Forwarding no
  AllowAgentForwarding no
  ForceCommand /bin/false

When I add ForceCommand /bin/false, testuser cannot even ssh to jump server. Without it, user can login to jump server but can still list directories and cd.

Arnold Jerry (11 rep)

Feb 21, 2022, 02:03 AM • Last activity: Jul 22, 2025, 05:35 PM

0 votes

2 answers

160 views

How can I set a restricted shell for a user, while allowing cd to user-owned directories?

shell permissions ownership restricted-shell

I've setup restricted shell(s) on an Arch-based system by creating `/usr/local/bin/rzsh` and `/usr/local/bin/rbash`: these scripts `cd` into `/home/$USER` and then invoke `zsh -r` and `bash -r` respectively, but I would like users in the restricted shells to be able to `cd` into directories the user...

                                  I've setup restricted shell(s) on an Arch-based system by creating /usr/local/bin/rzsh and /usr/local/bin/rbash:

these scripts cd into /home/$USER and then invoke zsh -r and bash -r respectively, but I would like users in the restricted shells to be able to cd into directories the user(s) explicitly own (such as sub-directories of their home) but not necessarily everything they have read access to.

- The context is a user that runs https://code.visualstudio.com/docs/remote/vscode-server  - clients have terminal access and must be able to move between repositories, and execute some scripts that act upon repositories

- However, I *do not* want users to have access to cd into or read files in system directories

Is this possible with a restricted shell, and if not, can you recommend an approach to achieve a similar level of restriction?

Rob (111 rep)

Aug 14, 2024, 10:17 PM • Last activity: Aug 15, 2024, 09:04 AM

1 votes

1 answers

458 views

How can I allow scp to a user whose login shell is a restricted shell via rbash

bash scp restricted-shell

Hi I have a login shell via /bin/rbash However i cannot scp to the home directory. Is there anyway to solve this? ``` scp /tmp/x user@ip:/home/ubuntu/x ``` how to make above work when user always gets a restricted shell on login

Hi I have a login shell via /bin/rbash However i cannot scp to the home directory. Is there anyway to solve this?

scp /tmp/x user@ip:/home/ubuntu/x

how to make above work when user always gets a restricted shell on login

Uise (11 rep)

Jan 19, 2024, 06:55 AM • Last activity: Jan 20, 2024, 12:03 AM

1 votes

0 answers

153 views

Block Particular Command in Linux for Specific Users

linux security account-restrictions restricted-shell

I want to whitelist some of the commands for users. I am getting solution using LShell [Limited Shell][1] but I want to restrict subcommands as well. I want user to access `docker ps` and `docker logs` only. How can I achieve it via LShell? [1]: https://github.com/ghantoos/lshell

                                  I want to whitelist some of the commands for users. I am getting solution using LShell Limited Shell  but I want to restrict subcommands as well. 

I want user to access docker ps and docker logs only. How can I achieve it via LShell?

mhassaankhokhar (13 rep)

Oct 17, 2023, 08:03 AM • Last activity: Oct 17, 2023, 09:56 AM

0 votes

0 answers

96 views

Restrict user for ssh tunnelling

ssh openssh ssh-tunneling port-forwarding restricted-shell

I'm trying to create a user without shell access just for port forwarding through ssh. The shell of the user is set to ```/usr/bin/false```, but everytime i try to login through ssh it receive ```Permission denied (publickey,password)```. If I add the ```/usr/bin/false``` to ```/etc/shells``` it wor...

I'm trying to create a user without shell access just for port forwarding through ssh. The shell of the user is set to

/usr/bin/false

, but everytime i try to login through ssh it receive

denied (publickey,password)

. If I add the

/usr/bin/false

/etc/shells

it works but I read that this is not recommended. I also created a rule in

/etc/ssh/sshd_config

of form:

Match User tunneluser
        X11Forwarding no
        AllowTcpForwarding yes
        AllowAgentForwarding no
        PermitTTY no

But it still doesn't work.

deodre (1 rep)

May 18, 2023, 01:32 PM • Last activity: May 18, 2023, 03:37 PM

-3 votes

1 answers

8749 views

Not able to Run cd command with restricted user!

bash cd-command restricted-shell

I have restricted a normal user to limited commands using `rbash`, now am not able to `cd` (change directory) to other directory,can someone help me how can i run `cd` command with restricted user, please find the error which am getting when performimg cd command -rbash: cd: restricted

                                  I have restricted a normal user to limited commands using rbash, now am not able to cd (change directory) to other directory,can someone help me how can i run cd command with restricted user, please find the error which am getting when performimg cd command

    -rbash: cd: restricted

vinod M (15 rep)

Nov 15, 2016, 11:04 AM • Last activity: Apr 26, 2023, 05:16 AM

2 votes

1 answers

465 views

Restricted shell rush "invalid uid" error

scp restricted-shell

I am setting up a new local account on a Debian buster server. The account name is "auto-upload". The entry in `/etc/passwd` looks like this: ``` auto-upload:x:1060:1060:auto-upload:/home/auto-upload:/usr/sbin/rush ``` As you can see I am attempting to use the ["rush" restricted shell][1] (version 1...

I am setting up a new local account on a Debian buster server. The account name is "auto-upload". The entry in /etc/passwd looks like this:

auto-upload:x:1060:1060:auto-upload:/home/auto-upload:/usr/sbin/rush

As you can see I am attempting to use the "rush" restricted shell (version 1.8) with this account. The rush configuration file is

debug 1

rule default
  acct on
  limits t10r20
  umask 002
  env - USER LOGNAME HOME PATH
  fall-through

rule scp-to-debrepo
  command ^scp (-v )?-t( --)? /srv/repos/?
  set /usr/bin/scp
  match[$] ! /\.\.
  transform[$] s,^/incoming/,,
  chroot /srv/repos
  chdir /srv/repos

When I attempt to scp a file to that account I see this in the server logs:

2021-12-03T12:20:25.240111-08:00 myserver rush: debug level set to 1
2021-12-03T12:20:25.240755-08:00 myserver rush: Serving request "scp -t /srv/repos/basic/incoming" for auto-upload by rule default
2021-12-03T12:20:25.240971-08:00 myserver rush: Serving request "scp -t /srv/repos/basic/incoming" for auto-upload by rule scp-to-debrepo
2021-12-03T12:20:25.254718-08:00 myserver rush: invalid uid 1060
2021-12-03T12:20:30.257645-08:00 myserver sshd: Received disconnect from 192.168.225.188 port 45518:11: disconnected by user

Why is it telling me "invalid uid 1060" and how do I fix this?

rlandster (763 rep)

Dec 3, 2021, 08:29 PM • Last activity: Jan 23, 2023, 10:19 PM

2 votes

0 answers

228 views

How to re-enable the `enable` command?

bash shell chroot jails restricted-shell

As part of a script to set up a restricted user, I ran the `enable -n enable` command. For testing purposes I would like to undo that command but I can't find any documentation on how to do so. I know normally I would just run `enable enable`, but since that command is disabled that isn't an option....

                                  As part of a script to set up a restricted user, I ran the enable -n enable command. For testing purposes I would like to undo that command but I can't find any documentation on how to do so. I know normally I would just run enable enable, but since that command is disabled that isn't an option.

The user in question is chrooted and running rbash, I have superuser access on the device and I have tried things like sudo su -c "enable echo" usernameHere with no success. I know I can always just scrap the user and start again, but I have a feeling that there's a better way that I'm missing, so I would like to avoid deleting the user if possible.

Any input and advice would be appreciated!

ajmeese7 (380 rep)

Apr 28, 2022, 01:42 AM

-3 votes

2 answers

153 views

Linux Restricted Bash shell perform arithmetic calculations

linux bash shell-script restricted-shell

I have a shell script to calculate cpu and memory resources in a vm. For one task, I would like to perform mathematical calculations in a rbash shell. Could you please guide me the possible workarounds. I have been trying like echo $a / 1024 | bc I'm trying the below substitution and getting the bel...

                                  I have a shell script to calculate cpu and memory resources in a vm. For one task, I would like to perform mathematical calculations in a rbash shell. Could you please guide me the possible workarounds.

I have been trying like

    echo $a / 1024 | bc

I'm trying the below substitution and getting the below error. Can you please advise me

Both the variables have decimal values as well. Like 0.4, 10.0 and would need to subtract and get the values

    for used_cores in echo (( $config_cpu - $free_cpu )) | grep [0-9] || echo NA
    do
    echo $used_cores
    done

Error: 

    bash: command substitution: line 12: syntax error near unexpected token `('

The question seems to be different from the reference question. Can you please consider this question.

satsensort (87 rep)

Jan 4, 2022, 04:55 PM • Last activity: Jan 4, 2022, 05:46 PM

2 votes

1 answers

357 views

How can I start a login shell with options?

bash login passwd restricted-shell

I am messing around and want to have a guest user whose login shell is a restricted one like `rbash`. Unfortunately there is no `rbash` executable anywhere on my Slackware installation, so I have to do ```bash -r``` instead. I tried putting this in /etc/passwd as the login shell for the user in ques...

I am messing around and want to have a guest user whose login shell is a restricted one like rbash. Unfortunately there is no rbash executable anywhere on my Slackware installation, so I have to do

-r

instead. I tried putting this in /etc/passwd as the login shell for the user in question:

:x:1001:1001::/home/guest:/bin/bash -r

but it seems to be trying to find an executable with

" -r"

at the end of the filename and so doesn't let me log in because it doesn't exist. Is there any way I can start a restricted shell with an option like this, or do I have to install an rbash binary? This is not ideal as I am on a Raspberry Pi (ARM) and may have to compile a package which is something I am unfamiliar with.

Architect (173 rep)

Apr 24, 2021, 01:03 PM • Last activity: Apr 24, 2021, 01:21 PM

0 votes

0 answers

17 views

Remote access to a Minecraft server over SSH

remote-management minecraft restricted-shell

I have a dedicated server running Ubuntu Server 18.04. I'm going to be hosting a Minecraft server for someone. What's the best way to restrict their read, write, and execute access to _only_ the Minecraft server directory? They'll also need access to Java to run the server.

                                  I have a dedicated server running Ubuntu Server 18.04. I'm going to be hosting a Minecraft server for someone. What's the best way to restrict their read, write, and execute access to _only_ the Minecraft server directory? They'll also need access to Java to run the server.
                                

LostXOR (235 rep)

Dec 12, 2020, 09:52 PM

1 votes

1 answers

766 views

How to restrict users so that they can only execute commands from /bin?

linux bash ubuntu non-root-user restricted-shell

I was provided an assignment with several questions. One of the questions is: > How to restrict users can only execute the commands in the directory `/bin`? I tried to solve it by using the following commands, but they did not work. ```lang-none # useradd -s /bin/bash localuser # usermod -s /bin/rba...

I was provided an assignment with several questions. One of the questions is: > How to restrict users can only execute the commands in the directory /bin? I tried to solve it by using the following commands, but they did not work.

-none
# useradd -s /bin/bash localuser
# usermod -s /bin/rbash localuser
# mkdir /home/localuser/programs

Here are the contents of /home/localuser/.bash_profile:

-bash
# .bash_profile  

# Get the aliases and functions  
if [ -f ~/.bashrc ]; then  
. ~/.bashrc  
fi  
# User specific environment and startup programs  
PATH=$HOME/programs  
export PATH

Then I tried:

-none
[localuser@example ~]$ ls  
-rbash: ls: command not found  
[localuser@example ~]$ less file1  
-rbash: less: command not found  
[localuser@example ~]$ clear  
-rbash: clear: command not found  
[localuser@example ~]$ date  
-rbash: date: command not found  
[localuser@example ~]$ ping redhat.com  
-rbash: ping: command not found
# ln -s /bin/date /home/localuser/programs/  
# ln -s /bin/ls /home/localuser/programs/  
# ll /home/localuser/programs/  
total 8  
lrwxrwxrwx 1 root root 9 Oct 17 15:53 date -> /bin/date  
lrwxrwxrwx 1 root root 7 Oct 17 15:43 ls -> /bin/ls
[localuser@example ~]$ date  
Mon Oct 17 15:55:45 IST 2011  
[localuser@example ~]$ ls  
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9 programs  
[localuser@example ~]$ clear  
-rbash: clear: command not found
# chattr +i /home/localuser/.bash_profile

What would be your answer?

Sangar Tahir (11 rep)

Nov 12, 2020, 01:06 AM • Last activity: Nov 13, 2020, 04:02 PM

0 votes

0 answers

44 views

How to limit user to only cat & exit commands?

centos privileges account-restrictions authorization restricted-shell

I would like to limit a user to only two commands: `cat` and `exit`. I've tried to edit `visudo` but it does not work. My OS version is CentOS 8.

                                  I would like to limit a user to only two commands: cat and exit.  
I've tried to edit visudo but it does not work.

My OS version is CentOS 8.
                                

kdm.J (11 rep)

Sep 1, 2020, 08:57 AM • Last activity: Sep 2, 2020, 05:13 AM

1 votes

1 answers

2130 views

How do you install rbash in CentOS 7?

bash centos software-installation yum restricted-shell

I ran this command: ``` yum install rbash ``` And for some reason it told me that the package wasn't available. It didn't come pre-installed on my system either and when I looked it up I was unable to find anyone else having this issue. So how do you install rbash on CentOS 7?

I ran this command:

yum install rbash

And for some reason it told me that the package wasn't available. It didn't come pre-installed on my system either and when I looked it up I was unable to find anyone else having this issue. So how do you install rbash on CentOS 7?

chunchunmaru (13 rep)

Aug 21, 2020, 06:42 PM • Last activity: Aug 21, 2020, 06:59 PM

0 votes

1 answers

386 views

Restrict users shell in CentOS-7

linux shell centos restricted-shell

I've deployed CentOS-7 login nodes for users, I want restrict them in resources and command level to prevent nasty activities, so far my search only ended up to **rbash** and **lshell** and etc..., is there any way to achieve in more generic/globally? I only want narrow down the command access to on...

                                  I've deployed CentOS-7 login nodes for users, I want restrict them in resources and command level to prevent nasty activities, so far my search only ended up to **rbash** and **lshell** and etc..., is there any way to achieve in more generic/globally?

I only want narrow down the command access to one command.

Thanks

Tux88 (1 rep)

Aug 11, 2020, 06:22 PM • Last activity: Aug 12, 2020, 04:00 PM

0 votes

1 answers

614 views

Giving users Shell access with heavy restrictions

linux shell permissions restricted-shell

I am developing an in-house file-sharing system like Google Drive/Dropbox with very restricted shell access to users' own folder. The users have to be able to use `mv` `ssh` `ls` `cd` commands to access and navigate their own folders, also some users would be able to run `gcc` to compile their own p...

                                  I am developing an in-house file-sharing system like Google Drive/Dropbox with very restricted shell access to users' own folder. The users have to be able to use mv ssh ls cd commands to access and navigate their own folders, also some users would be able to run gcc to compile their own program (But they are not allowed to run the programs they compiled). The only problem is I don't want people roaming around in system files or modifying system settings/variables.

First I thought maybe using containers/BSD Jails might be the solution but given that this system might have over 300 users, It adds unnecessary complexity and overhead.

What solutions are there on the open wild Internet?
Thanks!

user396583

Jul 1, 2020, 10:59 AM • Last activity: Jul 1, 2020, 12:39 PM

3 votes

1 answers

5765 views

How can I restrict the normal user to run only limited set of commands in RHEL?

shell rhel ls restricted-shell

How can I restrict the Normal user to run the only limited set of commands in RHEL?

                                  How can I restrict the Normal user to run the only limited set of commands in RHEL?
                                

Manjinder Singh (39 rep)

Mar 5, 2018, 06:55 AM • Last activity: Mar 27, 2020, 03:09 AM

0 votes

1 answers

203 views

Centos SSH & SFTP user restriction to specific directories

centos ssh permissions security restricted-shell

I am managing a server running Cantos 7. Some users login to the server via ssh/sftp for development. For them i have created a user `devel`. For security reasons, i need to confine them to certain directories. They should be able to: - Run only basic commands such as `cd`, `ls`, `cp`, `cat`, `mv`,...

                                  I am managing a server running Cantos 7. Some users login to the server via ssh/sftp for development. For them i have created a user devel. For security reasons, i need to confine them to certain directories. They should be able to:

 - Run only basic commands such as cd, ls, cp, cat, mv, mkdir, rmdir, etc.
 - Run programs such as java, gcc, python etc.
 - Access home directory (devel) with full permissions (rwx)
 - Access a mounted Hard Drive /mnt/dataspace with full permissions (rwx)
 - Access the /usr/lib, /usr/src and some other directories with full permissions (rwx)

I want to prevent devel from:

 - Accessing all other directories such as /, /boot, /etc, /opt, /var etc.
 - Accessing certain services/deamons such as httpd, sshd, mysqld etc.
 - Running any command (other than the basic commands above) e.g. systemctl.

I don't want these directories (e.g. /, /etc, /var etc.) to even show up to them, or at the very least disable access to them.

Is it possible to do? I have read many questions here and also many other articles, forums and blogs about ACL and Chroot Jail erc. such as this , this , this , this , this , this , this , this , this , this , this  but none of them helped me to achieve what i need to do.

Any help or any suggestions will be highly appreciated, i desperately need help.

Raja Ayaz (1 rep)

Nov 21, 2019, 08:03 PM • Last activity: Nov 21, 2019, 10:56 PM

-1 votes

2 answers

504 views

Limit User To Run Specific Commands

bash security bashrc non-root-user restricted-shell

I have a user `test1` that i want to limit it to only run specific commands. I found [this](https://access.redhat.com/solutions/65822) solution and I tested it (logged in with test1 and ran some random commands. none of them worked but `date`) and it worked. here is what i did: cp /bin/bash /bin/rba...

                                  I have a user test1 that i want to limit it to only run specific commands. I found [this](https://access.redhat.com/solutions/65822)  solution and I tested it (logged in with test1 and ran some random commands. none of them worked but date) and it worked. here is what i did:  
 
    cp /bin/bash /bin/rbash
    useradd -s /bin/rbash test1
    mkdir /home/test1/bin
    chmod 755 /home/test1/bin
    echo "PATH=$HOME/bin" >> /home/test1/.bashrc
    echo "export PATH" >> /home/test1/.bashrc
    chattr +i /home/test1/.bash_profile
    ln -s /usr/bin/date /home/test1/bin
 
 
since I'm more of a DBA than a linux pro like you guys I don't know if this is enough and if there is any other thing i need to do to prevent this test1 from doing anything on system.any suggestion for increasing security?  

as you can see, if i create link for a command like ifconfig:  

    ln -s /sbin/ifconfig /home/test1/bin 

this user test1 can also run add | del | up | down with ifconfig. how i can limit this command with for example this option -a or it can be executed with no options at all?
    
                                

BlackCrystal (786 rep)

Aug 25, 2019, 10:29 AM • Last activity: Aug 25, 2019, 05:53 PM

0 votes

1 answers

922 views

AIX restricted shell add entry to inittab

shell-script ssh ksh aix restricted-shell

Need a help in adding an entry to the AIX inittab on VIO server. The VIO server is a restricted shell, to add entry to the inittab we need to access the root shell using command: `oem_setup_env`. I'm trying to add the below entry using SSH from Jump Server to the VIO server. The entry doesn't get ad...

                                  Need a help in adding an entry to the AIX inittab on VIO server. The VIO server is a restricted shell, to add entry to the inittab we need to access the root shell using command: oem_setup_env. I'm trying to add the below entry using SSH from Jump Server to the VIO server. The entry doesn't get added to inittab file. 

    ssh -q aixlpar122 "ssh -q padmin@vio01 print "\mkitab \"splunk:2:once:/usr/bin/startsrc\ -g\ splunk\ \>\ \/dev\/console\ 2\>\&1\ "  | oem_setup_env "

Getting below error :

    rksh: /dev/console: 0403-019 The operation is not allowed in a restricted shell.

satsensort (87 rep)

Jun 19, 2019, 08:53 AM • Last activity: Jun 19, 2019, 02:25 PM

Showing page 1 of 20 total questions