How to limit user commands in Linux [closed]
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
I have a user in a group: «demo». I want to set the policy that this user can run only 10 commands, like vim , nano , cd , etc. Or, set the policy to have access on all commands except ssh and cat commands.
you are root.ok.put all commands in /bin/bash . then set permissions for each user to specific commands by chowm and chmod. ok?
@MortezaLSC : this is not good action! I don’t want to change bin files directory or permissions of them. it will make problem for system. I’m looking for correct way to restricting some users accesses.
I wanna set the policy that this users just can run 10 commands, like «vim»,»nano»,»cd» and etc. vim can be used to launch arbitrary commands. access.redhat.com/solutions/65822#comment-1221022
6 Answers 6
There are lots of different ways that you could achieve this. I’m going to list one of several possible solutions.
I would propose using several different layers of protection to prevent users from running the commands that they shouldn’t be allowed to access. All of the directions here assume that users have their own /home/[username] directory, that their shell is /bin/bash , and that you would like them to use the bash shell when they log in to the system.
- Change the user’s bash to restricted bash mode so that they can’t change directories (if you don’t have a restricted bash mode on your system, this link will help and give you more information) chsh -s /bin/rbash [username]
- Change directory permissions so that only the user can edit the contents of their home directory
rm /home/[username]/.bashrc This site has more information as to why it might be a good idea to delete the .bashrc in this situation.
- Create a .bash_profile and add «safe» aliases for all the commands that you would like to disable
./bash_profile file example
alias apt-get="printf ''" alias aptitude="printf ''" [. ] alias vi="vi -Z" #this is vi's safe mode and shell commands won't be run from within vi alias alias="printf ''" A please check the full list of bash commands for more information. You must make sure that the alias alias=»printf »» command is the last command on the list otherwise you lose your ability to alias all of those commands.
Note Running the commands below will search for almost all the commands available on your system and output a ready made file will almost all available commands pre-aliased. The [ command is the test command in bash. So if you see that in the file, it is not an error.
#search /bin and /usr/bin for any commands that exist on our system ls /bin -1 > commands_on_system.txt && ls /usr/bin -1 >> commands_on_system.txt #format and save this information to a bash variable IFS=$'\n' GLOBIGNORE='*' command eval 'COMMANDS_ON_SYSTEM=($(cat ./commands_on_system.txt))' IFS=$'\n' COMMANDS_ON_SYSTEM=($(sort ")) unset IFS #save these commands in aliased format for easy usage for linux_command in "$" do : #you can change how this works to automatically #setup the command file for you echo "alias $=\"printf ''\"" >> ./startup_functions_for_beginners.sh done - Disable shell commands in vi by aliasing the vi command to restricted mode
The syntax is alias vi=»vi -Z» , but please see this site for more information. - Change the ownership of the user’s .bash_profile to root
chown root:root /home/[username]/.bash_profile - Finally, remove write permissions on the user’s .bash_profile
chmod 755 /home/[username/.bash_profile]
Now when the users log in they won’t be able to change directories, all of the commands that you don’t want them to use will output the same information as if the user pressed the [ENTER] key with no command specified, and your /bin/bash functions stay intact.
Depending on what functions you choose to or not to alias this way, users may still be able to circumvent some of the controls that you implemented. However, since we implemented a few safety buffers, the user would really have to know about computer systems to do any dangerous.
On a related note and something that you might want to consider, if you directly place these aliases into each and every users’ .bash_profile you would have difficulty maintaining which functions should and shouldn’t be aliased, and if you need to change the alias on anything you would have to change all of them individually. Also, since users can use vim or vi to view files, they could see the contents of their .bash_profile and understand what restrictions they have and don’t have.
To get around this I would suggest.
- Putting all of the aliases in a directory not accessible by the users (paste the contents of the .bash_profile here)
improved ./bash_profile file example
if [[ -f /[path_to_file]/startup_functions_for_beginners.sh ]]; then . /[path_to_file]/startup_functions_for_beginners.sh fi This should put you on your way, but remember that there are almost always ways to circumvent restrictions.
Also, feel free to remix the information in this answer to suit your needs. These can most definitely be combined with a number of other restrictions as well.
Q: I need users to have access to fg and bg , but I don’t want them to be able to access aptitude or bash
alias apt-get="printf ''" #the user won't be able to run this alias aptitude="printf ''" #the user won't be able to run this alias bash="printf ''" #the user won't be able to run this #alias fg="printf ''" #this will run as a bash built-in #alias bg="printf ''" #you actually don't need to include these in your script List of common commands as per this Harvard Website (NOT EXHAUSTIVE)
As you install programs to Linux what you have available to you changes. I suggest that you run the commands listed above in step 4 to help find new commands after they have been installed.
caution should be taken care of with editors because some allow for the excution of shell commands from within the program
nano emacs pico sed vi vim exit logout passwd rlogin ssh slogin yppasswd mail mesg pine talk write as awk bc cc csh dbx f77 gdb gprof kill ld lex lint make maple math nice nohup pc perl prof python sh yacc xcalc apropos find info man whatis whereis cd chmod chown chgrp cmp comm cp crypt diff file grep gzip ln ls lsof mkdir mv pwd quota rm rmdir stat sync sort tar tee tr umask uncompress uniq wc cat fold head lpq lpr lprm more less page pr tail zcat xv gv xpdf ftp rsync scp alias chquota chsh clear echo pbm popd pushd script setenv stty netstat rsh ssh bg fg jobs ^y ^z clock date df du env finger history last lpq manpath printenv ps pwd set spend stty time top uptime w who whois whoami gimp xfig xv xvscan xpaint kpaint mplayer realplay timidity xmms abiword addbib col diction diffmk dvips explain grap hyphen ispell latex pdfelatex latex2html lookbib macref ndx neqn nroff pic psdit ptx refer roffbib sortbib spell ispell style tbl tex tpic wget grabmode import xdpyinfo xkill xlock xterm xwininfo html2ps latex2html lynx netscape sitecopy weblint How to Set Limits on User Running Processes in Linux
One of the Linux’s beauties is that you can control almost everything about it. This gives a system administrator a great control over his system and better utilization of the system resources.
While some might have never thought about doing this, it is important to know that in Linux you can limit how much resource a single user may use and for how long.
In this short topic, we will show you how to limit the number of processes started by user and how to check the current limits and modify them.
Before we go any further there are two things we need to point:
- You need root access to your system to modify the user limits
- You must be extremely careful if you plan to modify these limits
To setup user limits, we will need to edit the following file:
This file is used to apply ulimit created by the pam_module.
The file has the following syntax:
Here we will stop to discuss each of the options:
- Domain – this includes usernames, groups, guid ranges etc
- Type – soft and hard limits
- Item – the item that will be limited – core size, file size, nproc etc
- Value – this is the value for the given limit
A good sample for a limit is:
The above line sets a hard limit of maximum 20 processes on the «student» group.
If you want to see the limits of a certain process has you can simply “cat” the limits file like this:
Where PID is the actual process ID, you can find out process id by using ps command. For more detailed explanation, read our article that says – Find Running Linux Processes and Set Process Limits Per-User Level
Sample Output
Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 32042 32042 processes Max open files 1024 4096 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 32042 32042 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us
All of the lines are pretty much self explanatory. However if you want to find more the settings you can input in limits.conf file, you can have a look at the manual provided here.
If you have any questions or comments, please do not hesitate to submit them in the comment section below.