rbash.md

Restricted users (rbash)

Based on rbash article

When to use rbash?

• SSH login-only user
• Other users accounts
• Application users
• Other security and permission restriction cases

Example below creates ruser, with only access to su command. SSH login-only user is the great use case for rbash.

Create a user

Create user named ruser:

useradd ruser

Set password for new user (only users with password can login to a server):

passwd ruser
# then type-in new password twice

Confirm rbash is installed

rbash shell is preinstalled on most of Linux distributions, however, to confirm rbash shell is installed, execute next lines:

cat /etc/shells
# and:
which rbash
# both commands should have /bin/rbash in return

If rbash is not listed in /etc/shells install it via agt-get or aptitude. After installation, check /etc/shells again to make sure it is activated.

Change user's shell

To change user's default shell use chsh (ch ange sh ell):

chsh -s /bin/rbash ruser

Create user's home directory

# Create directory
mkdir -p /home/ruser

# Set home directory
usermod -m -d /home/ruser ruser

Create shell profiles

# Go to ruser home directory
cd /home/ruser
# Create profile
touch .bashrc
echo "export PATH=/home/ruser/usr/bin" >> .bashrc
for i in .bash_login .bash_profile .bash_logout .bash_profile .profile; do cp .bashrc $i; done

Create user's bin directory

mkdir -p /home/ruser/usr/bin

From now, user named ruser after login via su, sudo or ssh can not run any commands.

Link allowed commands

For example, we would like to add su, as allowed command for ruser

which su
# returns /bin/su, copy it
ln -s /bin/su /home/ruser/usr/bin
#     │       └─ symlink to ruser's bin
#     └─ output from `which`

Repeat the same procedure for all commands (programs, packages) which should be allowed to run by ruser

Set right permissions

chmod -R 750 /home/ruser
chown -R ruser:ruser /home/ruser

Further reading:

• Change default SSH port
• Disable root login via SSH
• Use SSH keys to login