How to restrict access with rbash

December 4th, 2008 by bodhi.zazen

This blog is at the request of some Ubuntu users and describes how to restrict users access to applications and/or system files with rbash.

rbash is a “restricted shell” and can be helpful in restricting users. This can be used, for example, to allow limited ssh access in order for a user to perform specific tasks, yet keep the user away from system files and applications.

see  : rbash features / restrictions

But rbash needs to be “hardened”.

Step 1: Install rbash :

rbash is not “installed”, it is a symbolic link to bash. rbash is present by default in Ubuntu but not Fedora (or Centos) for example.

First, add a user to your system, here I will call the user “ruser”. You may use the gui tools or the command line to add this user. Then, if needed “install” rbash and set the users shell to rbash.

sudo ln -s /bin/bash /bin/rbash
sudo bash -c ‘echo “/bin/rbash” >> /etc/shells’
sudo chsh -s /bin/rbash ruser

Step 2: Harden rbash

Now we need to harden the home directory a bit.

First, lets change ownership and permissions of ruser’s home

sudo chown root.ruser /home/ruser
sudo chmod 750 /home/ruser

Now let us lock down  rbash a bit. The “critical” files and environmental variables are PATH, .bash_login, .bashrc, .profile, .bash_profile, .bashrc, and .bash_logout.

As root (sudo -i or su -)

cd ~ruser
rm -rf .bash_login .bashrc .profile .bash_profile .bash_logout
touch .bashrc
echo “. .bashrc” > {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}
echo “export PATH=’/home/rbash/usr/bin’
mkdir -p /home/ruser/usr/bin
chown -R root.ruser .bash* .profile /home/ruser
chmod 640 .bash* .profile
chmod -R 750 usr/bin

Note: those commands are if you are using zsh, if you are using bash use this line:

for i in .bashrc .bash_login .bash_profile .bash_logout .profile; do echo “. .bashrc” > $i; done

Depending on your preference you may wish to lock down additional configuration (. or dot) files as well, such as .vimrc or .nanorc

Now, review the contents of the home directory :

ls -la ~ruser

Step 3: Add access (links) to applications.

We now have a fairly restricted “base”. To add applications to rusers path, use a link :

Again, as root,

ln -s /usr/bin/vim /home/ruser/usr/bin/vim

If you need this use to be able to do a task as root, this is where sudo shines. Add the user to visudo and add the command(s) allowed to run as root. You still need to make a link from the command to /home/ruser/usr/bin .

For remote access, I also advise you use keys, which will allow you to not only increase security for our ssh server, but also restrict users from potentially undesirable actions (running commands, binding ports). See my previous svn+ssh blog for some hints on how to lock down your ssh keys.

Take care to remain diligent, as with all things, there are ways to break out of a rbash shell. This set up can be enhanced further by setting up the user in a chroot jail or consider using SELinux or Apparmor.

See also : man rbash

For additional informations see : Security Focus ~ Restricting UNIX Users

Posted in Linux

25 Comments »

1. [...] a step-by-step walkthrough of a lengthier, more useful example: Bodhi-Zazen recently posted a HOWTO on using rbash to restrict shell users to a safe set of commands. I will show how I broke free of the jail in 10 seconds and was snooping around the rest of the [...]

   Pingback by FriedCPU » Blog Archive » Advanced Linux Security Part 1: AppArmor Intro — December 5, 2008 @ 10:52 am

2. 

   dood.
   you need a double redirect (>>) when sending /bin/rbash to /etc/shells

   Comment by hack — December 10, 2008 @ 3:31 pm

3. 

   The second line should read like this:

   sudo bash -c ‘echo “/bin/rbash” >> /etc/shells’

   Otherwise you will overwrite the content of /etc/shells.

   Comment by Taleel — December 11, 2008 @ 10:09 am

4. [...] rather then rbash is that AppArmor is more robust. jdong was kind enough to post a comment on my rbash blog showing he was able to break out of rbash in 10 [...]

   Pingback by Shadows of epiphany » Blog Archive » Shared Terminal Sessions over SSH — January 20, 2009 @ 3:26 pm

5. 

   Thank you both hack and Taleel for pointing this out, I have updated my post.

   Comment by bodhi.zazen — January 20, 2009 @ 3:38 pm

6. 

   yo, blog.bodhizazen.net great name for site)))

   Comment by Boalgelow — January 30, 2009 @ 4:16 am

7. 

   blog.bodhizazen.net – now in my rss reader)))

   Comment by Twiniseenully — February 1, 2009 @ 1:42 am

8. 

   yo, blog.bodhizazen.net great name for site)))
   ————————
   my blog: http://hyundai-hyundai-accent.ru

   Comment by poulsorry — February 4, 2009 @ 3:59 am

9. 

   Wow!

   Comment by Nutka — February 5, 2009 @ 9:42 am

10. 

    How I may find moreinfo?

    Comment by Done — February 5, 2009 @ 12:20 pm

11. 

    Amazing injformation, gracias!

    Comment by Victory — February 10, 2009 @ 11:50 pm

12. 

    There is so interesting for us! Thanx!

    Comment by Britany — February 10, 2009 @ 11:51 pm

13. 

    blog.bodhizazen.net – great domain name for blog like this)))
    ————————
    my blog: http://dewat.ru/

    Comment by KeepSmipteser — February 15, 2009 @ 2:29 am

14. 

    Your information is very useful! Thanks!

    Comment by Neo — February 16, 2009 @ 12:03 pm

15. 

    I think, blog.bodhizazen.net is very real journal! Thank you very much!

    Comment by Blogink — February 17, 2009 @ 3:46 am

16. 

    Where can I obtain much data about this topic, except blog.bodhizazen.net?

    Comment by Aziza — February 17, 2009 @ 6:11 am

17. 

    There was much useful =)

    Comment by Ruina — February 17, 2009 @ 11:49 am

18. 

    I’ve been using /bin/rbash successfully until recently, when I can ssh into a user’s home directory, but that’s ALL. I can’t cd into any of the folders in their home directory… I’m not sure why…

    Comment by ceabaird — March 17, 2009 @ 12:00 am

19. 

    See man rbash

    It behaves identically to bash with the exception
    that the following are disallowed or not performed:

    * changing directories with cd

    …

    Comment by bodhi.zazen — March 17, 2009 @ 1:06 am

20. [...] rather then rbash is that AppArmor is more robust. jdong was kind enough to post a comment on my rbash blog showing he was able to break out of rbash in 10 [...]

    Pingback by Shadows of epiphany » Blog Archive » Shared SSH Sessions, Update for Jaunty (Ubuntu 9.04) — March 28, 2009 @ 12:23 am

21. 

    sudo chomod 750 /home/ruser

    CHOMOD ????

    Comment by Dik — April 24, 2009 @ 8:15 am

22. 

    Thank you, fixed that typo.

    Comment by bodhi.zazen — April 26, 2009 @ 1:57 pm

23. 

    When I try to run this:
    echo “. .bashrc” > {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}

    I get this:

    bash: {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}: ambiguous redirect

    What am i doing wrong?

    Comment by marc — October 20, 2009 @ 11:20 am

24. 

    @marc ;

    You are not doing anything wrong, it is a bash thing (I use zsh)

    For bash user:

    for i in .bashrc .bash_login .bash_profile .bash_logout .profile; do echo “. .bashrc” > $i; done

    I will update the post.

    Comment by bodhi.zazen — October 21, 2009 @ 2:07 pm

25. [...] rbash (restricted bash) , che dovrebbe permettere di  bloccare gli utenti nella loro home e di consentirgli solo un set limitato di comandi.Tuttavia molti non ritengono rbash particolarmente sicuro. Apparmor è invece ritenuto decisamente [...]

    Pingback by Restricted bash con apparmor | zaffa.org — January 26, 2010 @ 3:28 am

RSS feed for comments on this post. TrackBack URL

Leave a comment