Comments on: How to restrict access with rbash

By: chenjie

chenjie — Wed, 11 Jan 2012 05:05:34 +0000

thanks for the reply again.
i’ve found the answer in bash manual.

btw,why you use this yinyang picture as your logo, it’s called 太极八卦图 in our country.it’s pretty weird :)

By: chenjie

chenjie — Tue, 10 Jan 2012 10:37:05 +0000

i change the login shell to bash,and it works,thanks a lot.
but i’m confusing why it works since that rbash is just a symbol link to bash.

By: bodhi.zazen

bodhi.zazen — Mon, 09 Jan 2012 16:02:46 +0000

@chenjie – As indicated earlier, rbash is more or less obsolete, replaced by apparmor or selinux. Your problem is likely that you do not have sufficient access to various binaries, does it work if you change your shell to bash ?

By: chenjie

chenjie — Mon, 09 Jan 2012 12:31:03 +0000

hi~thanks for your blog.
i have created a ruser followed by the steps,
i have met this issue.
i use windows client “SSH Secure File Transfer” with ruser, and ssh is working fine. but sftp is not.
it pops up this error
“File transfer server could not be started or it exited unexpectedly.
Exit value 0 was returned.”
i have googled everywhere,it tells me do not output message in .bashrc such as echo ,and my .bashrc is totally clear with nothing,but still not work~~~
hope you can help me.
thanks and regards ！
cj

By: bodhi.zazen

bodhi.zazen — Wed, 19 Oct 2011 14:55:11 +0000

@sss: works fine on Debian (as you can see):

root@debian~# cat /etc/issue
Debian GNU/Linux 5.0 \n \l

root@debian~# rbash

debian:~# cd
rbash: cd: restricted

debian:~# cd /root
rbash: cd: restricted

debian:~# exit
exit

But:

rbash is easy to break out of, you really should use an alternate technology (selinux, apparmor, virtualization).

What problem did you have ?

By: sss

sss — Wed, 19 Oct 2011 11:46:24 +0000

Nice write up, but won’t work on Debian…. ;P

By: aaron

aaron — Tue, 19 Jul 2011 00:17:01 +0000

great work. but still am not able to get the links (in /home/ruser/usr/bin) to work properly.. the $PATH is right and the links are also present in the directory.. but no luck if i try to run “vim” when i log in as ruser.. “no command found”

By: Shared SSH Sessions « System admin made easy

Shared SSH Sessions « System admin made easy — Sat, 02 Jul 2011 13:55:22 +0000

[...] rather then rbash is that AppArmor is more robust. jdong was kind enough to post a comment on my rbash blog showing he was able to break out of rbash in 10 [...]

By: bodhi.zazen

bodhi.zazen — Mon, 04 Apr 2011 14:51:54 +0000

Thank you for your review and comments.

ruser needs to be able to read ~/.ssh/authorized_keys , or you can move the key to an alternate location.

Honestly a restricted shell is depreciated, you should be using tools such as apparmor, selinux, or grsecurity as it is rather trivial to break out of rbash.

By: yoho

yoho — Mon, 04 Apr 2011 13:04:50 +0000

Also, if the home directory doesn’t belong to ruser, I’m not sure permissions are correct to enable public keys ssh authentication (using authorized_keys) : it sometimes check $home permissions (depending on the version).