This blog is at the request of some Ubuntu users and describes how to restrict users access to applications and/or system files with rbash.
rbash is a “restricted shell” and can be helpful in restricting users. This can be used, for example, to allow limited ssh access in order for a user to perform specific tasks, yet keep the user away from system files and applications.
see : rbash features / restrictions
But rbash needs to be “hardened”.
Step 1: Install rbash :
rbash is not “installed”, it is a symbolic link to bash. rbash is present by default in Ubuntu but not Fedora (or Centos) for example.
First, add a user to your system, here I will call the user “ruser”. You may use the gui tools or the command line to add this user. Then, if needed “install” rbash and set the users shell to rbash.
sudo ln -s /bin/bash /bin/rbash
sudo bash -c ‘echo “/bin/rbash” >> /etc/shells’
sudo chsh -s /bin/rbash ruser
Step 2: Harden rbash
Now we need to harden the home directory a bit.
First, lets change ownership and permissions of ruser’s home
sudo chown root.ruser /home/ruser
sudo chmod 750 /home/ruser
Now let us lock down rbash a bit. The “critical” files and environmental variables are PATH, .bash_login, .bashrc, .profile, .bash_profile, .bashrc, and .bash_logout.
As root (sudo -i or su -)
cd ~ruser
rm -rf .bash_login .bashrc .profile .bash_profile .bash_logout
touch .bashrc
echo “. .bashrc” > {.bash_login,.profile,.bash_profile,.bash_logout}
echo “export PATH=/home/ruser/usr/bin” >> .bashrc
mkdir -p /home/ruser/usr/bin
chown -R root.ruser .bash* .profile /home/ruser
chmod 640 .bash* .profile
chmod -R 750 usr/bin
Note: those commands are if you are using zsh, if you are using bash use this line:
for i in .bash_login .bash_profile .bash_logout .profile; do echo “. .bashrc” > $i; done
Depending on your preference you may wish to lock down additional configuration (. or dot) files as well, such as .vimrc or .nanorc
Now, review the contents of the home directory :
ls -la ~ruser
Step 3: Add access (links) to applications.
We now have a fairly restricted “base”. To add applications to rusers path, use a link :
Again, as root,
ln -s /usr/bin/vim /home/ruser/usr/bin/vim
If you need this use to be able to do a task as root, this is where sudo shines. Add the user to visudo and add the command(s) allowed to run as root. You still need to make a link from the command to /home/ruser/usr/bin .
For remote access, I also advise you use keys, which will allow you to not only increase security for our ssh server, but also restrict users from potentially undesirable actions (running commands, binding ports). See my previous svn+ssh blog for some hints on how to lock down your ssh keys.
Take care to remain diligent, as with all things, there are ways to break out of a rbash shell. This set up can be enhanced further by setting up the user in a chroot jail or consider using SELinux or Apparmor.
See also : man rbash
For additional informations see : Security Focus ~ Restricting UNIX Users
Pingback: FriedCPU » Blog Archive » Advanced Linux Security Part 1: AppArmor Intro
dood.
you need a double redirect (>>) when sending /bin/rbash to /etc/shells
The second line should read like this:
sudo bash -c ‘echo “/bin/rbash” >> /etc/shells’
Otherwise you will overwrite the content of /etc/shells.
Pingback: Shadows of epiphany » Blog Archive » Shared Terminal Sessions over SSH
Thank you both hack and Taleel for pointing this out, I have updated my post.
yo, blog.bodhizazen.net great name for site)))
blog.bodhizazen.net – now in my rss reader)))
yo, blog.bodhizazen.net great name for site)))
————————
my blog: http://hyundai-hyundai-accent.ru
Wow!
How I may find moreinfo?
Amazing injformation, gracias!
There is so interesting for us! Thanx!
blog.bodhizazen.net – great domain name for blog like this)))
————————
my blog: http://dewat.ru/
Your information is very useful! Thanks!
I think, blog.bodhizazen.net is very real journal! Thank you very much!
Where can I obtain much data about this topic, except blog.bodhizazen.net?
There was much useful =)
I’ve been using /bin/rbash successfully until recently, when I can ssh into a user’s home directory, but that’s ALL. I can’t cd into any of the folders in their home directory… I’m not sure why…
See man rbash
Pingback: Shadows of epiphany » Blog Archive » Shared SSH Sessions, Update for Jaunty (Ubuntu 9.04)
sudo chomod 750 /home/ruser
CHOMOD ????
Thank you, fixed that typo.
When I try to run this:
echo “. .bashrc” > {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}
I get this:
bash: {.bash_login,.bashrc,.profile,.bash_profile,.bash_logout}: ambiguous redirect
What am i doing wrong?
@marc ;
You are not doing anything wrong, it is a bash thing (I use zsh)
For bash user:
for i in .bashrc .bash_login .bash_profile .bash_logout .profile; do echo “. .bashrc” > $i; done
I will update the post.
Pingback: Restricted bash con apparmor | zaffa.org
This line:
echo “export PATH=’/home/rbash/usr/bin’
Should there be more to it? Is that supposed to be echoed into one of the .bash* files? Echoing it to console doesn’t seem to do much.
@Elie : I updated my post.
What is it you are trying to do exactly ? You posted several comments, but I am not clear what you want to do.
He’s right there is a typo, your missing a ”
typo
echo “export PATH=’/home/rbash/usr/bin’ >> .bashrc
should really read
echo “export PATH=’/home/rbash/usr/bin’” >> .bashrc
infact you dont need the ’
echo “export PATH=/home/rbash/usr/bin” >> .bashrc
@VeNoMouS Thank you.
humm… and “/home/rbash/” should be changed to “/home/ruser/”, isn’t it ?
Also, if the home directory doesn’t belong to ruser, I’m not sure permissions are correct to enable public keys ssh authentication (using authorized_keys) : it sometimes check $home permissions (depending on the version).
Thank you for your review and comments.
ruser needs to be able to read ~/.ssh/authorized_keys , or you can move the key to an alternate location.
Honestly a restricted shell is depreciated, you should be using tools such as apparmor, selinux, or grsecurity as it is rather trivial to break out of rbash.
Pingback: Shared SSH Sessions « System admin made easy
great work. but still am not able to get the links (in /home/ruser/usr/bin) to work properly.. the $PATH is right and the links are also present in the directory.. but no luck if i try to run “vim” when i log in as ruser.. “no command found”
Nice write up, but won’t work on Debian…. ;P
@sss: works fine on Debian (as you can see):
root@debian~# cat /etc/issue
Debian GNU/Linux 5.0 \n \l
root@debian~# rbash
debian:~# cd
rbash: cd: restricted
debian:~# cd /root
rbash: cd: restricted
debian:~# exit
exit
But:
rbash is easy to break out of, you really should use an alternate technology (selinux, apparmor, virtualization).
What problem did you have ?
hi~thanks for your blog.
i have created a ruser followed by the steps,
i have met this issue.
i use windows client “SSH Secure File Transfer” with ruser, and ssh is working fine. but sftp is not.
it pops up this error
“File transfer server could not be started or it exited unexpectedly.
Exit value 0 was returned.”
i have googled everywhere,it tells me do not output message in .bashrc such as echo ,and my .bashrc is totally clear with nothing,but still not work~~~
hope you can help me.
thanks and regards !
cj
@chenjie – As indicated earlier, rbash is more or less obsolete, replaced by apparmor or selinux. Your problem is likely that you do not have sufficient access to various binaries, does it work if you change your shell to bash ?
i change the login shell to bash,and it works,thanks a lot.
but i’m confusing why it works since that rbash is just a symbol link to bash.
thanks for the reply again.
i’ve found the answer in bash manual.
btw,why you use this yinyang picture as your logo, it’s called 太极八卦图 in our country.it’s pretty weird :)