Friday, August 24, 2007
Restricted Bash (rbash) and Hack-ish Jail
Why hack-ish? Well, I didn't use the formal chroot and other jail technologies to restrict some users. The premise is that certain users will use very basic set of commands:
ls
less
ping
tail
ps
top
grep
Create a group for the restricted users:
groupadd monitoringteam
Create a common home and bin directory:
mkdir -p /home/monitor/bin
Add a user:
useradd monitor-guy -g monitoringteam -d /home/monitor -s /bin/rbash
Create (or copy from /etc/skel) .bash_profile and .bashrc inside /home/monitor and add the following:
export PATH=~/bin
Go to the bin directory under /home/monitor and create the soft links of the basic commands:
cd /home/monitor/bin
ln -s /bin/command_here commandname_here
Note: some of the commands are at /usr/bin/, just use 'which' to know the paths. You can fine tune this set-up :) As I said, this is hack-ish, quick and grungy.
ls
less
ping
tail
ps
top
grep
Create a group for the restricted users:
groupadd monitoringteam
Create a common home and bin directory:
mkdir -p /home/monitor/bin
Add a user:
useradd monitor-guy -g monitoringteam -d /home/monitor -s /bin/rbash
Create (or copy from /etc/skel) .bash_profile and .bashrc inside /home/monitor and add the following:
export PATH=~/bin
Go to the bin directory under /home/monitor and create the soft links of the basic commands:
cd /home/monitor/bin
ln -s /bin/command_here commandname_here
Note: some of the commands are at /usr/bin/, just use 'which' to know the paths. You can fine tune this set-up :) As I said, this is hack-ish, quick and grungy.
Labels: Centos, jail, Linux, rbash
// posted by qroon @ 2:14 AM 
