Rbash question (was Re: [TriLUG] Limited Access User Account)
rick.denatale at gmail.com
Wed Sep 14 10:14:52 EDT 2005
On 9/14/05, Josh Vickery <vickeryj at gmail.com> wrote:
> I've never done this, but from what you have posted, I think it could
> be done more or less like so:
> 1. set the user's shell in /etc/passwd to "rbash" which is the same as bash -r
> 2. set the user's PATH to just the commands that you want (export
> PATH=/usr/bin/vi:... in /etc/profile or some such place that the user
> does not have write access to.
> 3. setup sudo for the user with the root commands you would like them
> to run, and add /usr/bin/sudo to the user's path
I'll file this one away (actually gmail has already done so <G>.
I hadn't heard of rbash (or bash -r) before. When I did a man rbash
on my Ubuntu system, the last paragraph stuck out at me:
When a command that is found to be a shell script is executed, rbash
turns off any restrictions in the shell spawned to execute the script.
It this correct, or a typo. If it's correct I guess you need to be
careful about what scripts you let the user execute and make sure that
the user has only read and execute permissions to them. Which would be
a further consideration in doing step 2 above.
More information about the TriLUG