How to restrict access with rbash

This blog is at the request of some Ubuntu users and describes how to restrict users access to applications and/or system files with rbash.

rbash is a “restricted shell” and can be helpful in restricting users. This can be used, for example, to allow limited ssh access in order for a user to perform specific tasks, yet keep the user away from system files and applications.

see  : rbash features / restrictions

But rbash needs to be “hardened”.

Step 1: Install rbash :

rbash is not “installed”, it is a symbolic link to bash. rbash is present by default in Ubuntu but not Fedora (or Centos) for example.

First, add a user to your system, here I will call the user “ruser”. You may use the gui tools or the command line to add this user. Then, if needed “install” rbash and set the users shell to rbash.

sudo ln -s /bin/bash /bin/rbash
sudo bash -c ‘echo “/bin/rbash” >> /etc/shells’
sudo chsh -s /bin/rbash ruser

Step 2: Harden rbash

Now we need to harden the home directory a bit.

First, lets change ownership and permissions of ruser’s home

sudo chown root.ruser /home/ruser
sudo chmod 750 /home/ruser

Now let us lock down  rbash a bit. The “critical” files and environmental variables are PATH, .bash_login, .bashrc, .profile, .bash_profile, .bashrc, and .bash_logout.

As root (sudo -i or su -)

cd ~ruser
rm -rf .bash_login .bashrc .profile .bash_profile .bash_logout
touch .bashrc
echo “. .bashrc” > {.bash_login,.profile,.bash_profile,.bash_logout}
echo “export PATH=/home/ruser/usr/bin” >> .bashrc
mkdir -p /home/ruser/usr/bin
chown -R root.ruser .bash* .profile /home/ruser
chmod 640 .bash* .profile
chmod -R 750 usr/bin

Note: those commands are if you are using zsh, if you are using bash use this line:

for i in .bash_login .bash_profile .bash_logout .profile; do echo “. .bashrc” > $i; done

Depending on your preference you may wish to lock down additional configuration (. or dot) files as well, such as .vimrc or .nanorc

Now, review the contents of the home directory :

ls -la ~ruser

Step 3: Add access (links) to applications.

We now have a fairly restricted “base”. To add applications to rusers path, use a link :

Again, as root,

ln -s /usr/bin/vim /home/ruser/usr/bin/vim

If you need this use to be able to do a task as root, this is where sudo shines. Add the user to visudo and add the command(s) allowed to run as root. You still need to make a link from the command to /home/ruser/usr/bin .

For remote access, I also advise you use keys, which will allow you to not only increase security for our ssh server, but also restrict users from potentially undesirable actions (running commands, binding ports). See my previous svn+ssh blog for some hints on how to lock down your ssh keys.

Take care to remain diligent, as with all things, there are ways to break out of a rbash shell. This set up can be enhanced further by setting up the user in a chroot jail or consider using SELinux or Apparmor.

See also : man rbash

For additional informations see : Security Focus ~ Restricting UNIX Users

This entry was posted in Linux. Bookmark the permalink.

45 Responses to How to restrict access with rbash

  1. Pingback: FriedCPU » Blog Archive » Advanced Linux Security Part 1: AppArmor Intro

  2. hack says:

    dood.
    you need a double redirect (>>) when sending /bin/rbash to /etc/shells

  3. Taleel says:

    The second line should read like this:

    sudo bash -c ‘echo “/bin/rbash” >> /etc/shells’

    Otherwise you will overwrite the content of /etc/shells.

  4. Pingback: Shadows of epiphany » Blog Archive » Shared Terminal Sessions over SSH

  5. bodhi.zazen says:

    Thank you both hack and Taleel for pointing this out, I have updated my post.

  6. Boalgelow says:

    yo, blog.bodhizazen.net great name for site)))

  7. blog.bodhizazen.net – now in my rss reader)))

  8. poulsorry says:

    yo, blog.bodhizazen.net great name for site)))
    ————————
    my blog: http://hyundai-hyundai-accent.ru

  9. Done says:

    How I may find moreinfo?

  10. Victory says:

    Amazing injformation, gracias!

  11. Britany says:

    There is so interesting for us! Thanx!

  12. blog.bodhizazen.net – great domain name for blog like this)))
    ————————
    my blog: http://dewat.ru/

  13. Neo says:

    Your information is very useful! Thanks!

  14. Blogink says:

    I think, blog.bodhizazen.net is very real journal! Thank you very much!

  15. Aziza says:

    Where can I obtain much data about this topic, except blog.bodhizazen.net?

  16. Ruina says:

    There was much useful =)

  17. ceabaird says:

    I’ve been using /bin/rbash successfully until recently, when I can ssh into a user’s home directory, but that’s ALL. I can’t cd into any of the folders in their home directory… I’m not sure why…

  18. bodhi.zazen says:

    See man rbash

    It behaves identically to bash with the exception
    that the following are disallowed or not performed:

    * changing directories with cd

  19. Pingback: Shadows of epiphany » Blog Archive » Shared SSH Sessions, Update for Jaunty (Ubuntu 9.04)

  20. Dik says:

    sudo chomod 750 /home/ruser

    CHOMOD ????

  21. bodhi.zazen says:

    Thank you, fixed that typo.

  22. marc says:

    When I try to run this:
    echo “. .bashrc” > {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}

    I get this:

    bash: {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}: ambiguous redirect

    What am i doing wrong?

  23. bodhi.zazen says:

    @marc ;

    You are not doing anything wrong, it is a bash thing (I use zsh)

    For bash user:

    for i in .bashrc .bash_login .bash_profile .bash_logout .profile; do echo “. .bashrc” > $i; done

    I will update the post.

  24. Pingback: Restricted bash con apparmor | zaffa.org

  25. Elie says:

    This line:
    echo “export PATH=’/home/rbash/usr/bin’

    Should there be more to it? Is that supposed to be echoed into one of the .bash* files? Echoing it to console doesn’t seem to do much.

  26. bodhi.zazen says:

    @Elie : I updated my post.

    What is it you are trying to do exactly ? You posted several comments, but I am not clear what you want to do.

  27. VeNoMouS says:

    He’s right there is a typo, your missing a ”

    typo
    echo “export PATH=’/home/rbash/usr/bin’ >> .bashrc

    should really read
    echo “export PATH=’/home/rbash/usr/bin’” >> .bashrc
    infact you dont need the ’
    echo “export PATH=/home/rbash/usr/bin” >> .bashrc

  28. bodhi.zazen says:

    @VeNoMouS Thank you.

  29. yoho says:

    humm… and “/home/rbash/” should be changed to “/home/ruser/”, isn’t it ?

  30. yoho says:

    Also, if the home directory doesn’t belong to ruser, I’m not sure permissions are correct to enable public keys ssh authentication (using authorized_keys) : it sometimes check $home permissions (depending on the version).

  31. bodhi.zazen says:

    Thank you for your review and comments.

    ruser needs to be able to read ~/.ssh/authorized_keys , or you can move the key to an alternate location.

    Honestly a restricted shell is depreciated, you should be using tools such as apparmor, selinux, or grsecurity as it is rather trivial to break out of rbash.

  32. Pingback: Shared SSH Sessions « System admin made easy

  33. aaron says:

    great work. but still am not able to get the links (in /home/ruser/usr/bin) to work properly.. the $PATH is right and the links are also present in the directory.. but no luck if i try to run “vim” when i log in as ruser.. “no command found”

  34. sss says:

    Nice write up, but won’t work on Debian…. ;P

  35. bodhi.zazen says:

    @sss: works fine on Debian (as you can see):

    root@debian~# cat /etc/issue
    Debian GNU/Linux 5.0 \n \l

    root@debian~# rbash

    debian:~# cd
    rbash: cd: restricted

    debian:~# cd /root
    rbash: cd: restricted

    debian:~# exit
    exit

    But:

    rbash is easy to break out of, you really should use an alternate technology (selinux, apparmor, virtualization).

    What problem did you have ?

  36. chenjie says:

    hi~thanks for your blog.
    i have created a ruser followed by the steps,
    i have met this issue.
    i use windows client “SSH Secure File Transfer” with ruser, and ssh is working fine. but sftp is not.
    it pops up this error
    “File transfer server could not be started or it exited unexpectedly.
    Exit value 0 was returned.”
    i have googled everywhere,it tells me do not output message in .bashrc such as echo ,and my .bashrc is totally clear with nothing,but still not work~~~
    hope you can help me.
    thanks and regards !
    cj

  37. bodhi.zazen says:

    @chenjie – As indicated earlier, rbash is more or less obsolete, replaced by apparmor or selinux. Your problem is likely that you do not have sufficient access to various binaries, does it work if you change your shell to bash ?

  38. chenjie says:

    i change the login shell to bash,and it works,thanks a lot.
    but i’m confusing why it works since that rbash is just a symbol link to bash.

  39. chenjie says:

    thanks for the reply again.
    i’ve found the answer in bash manual.

    btw,why you use this yinyang picture as your logo, it’s called 太极八卦图 in our country.it’s pretty weird :)

  40. Tenach says:

    Thank you for this! I was just in need of using rbash for a client! I was surprised and happy to see that you were result number one in Google.

  41. Pingback: [ubuntu] Ubuntu bash screwed up | Ubuntu InfoUbuntu Info

  42. Paul says:

    Vim is perhaps a bad example for a first program to allow restricted users access to.

    vim already lets you break out of the restricted shell, by running [esc]:shell

  43. bodhi.zazen says:

    @Paul – I agree, rbash is not too difficult to break out of. I prefer apparmor or selinux, but rbash may be an option some prefer to use.

  44. Bash says:

    The command echo “. .bashrc” > {.bash_login,.profile,.bash_profile,.bash_logout}
    can also be performed using
    echo “. .bashrc”‘ | tee .bash_login .profile .bash_profile .bash_logout

Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>