参考网:https://access.redhat.com/solutions/65822#

环境

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

问题

  • Need to restrict the normal users to run only limited set of commands assigned to him/her and all other commands for which normal user have permission to execute by-default, shall not be executed.

E.g: user XYZ can run only gzip and gunzip commands.

决议

Disclaimer : This is just a hack, not recommended for Actual Production Use

  • The normal user has been given permission to execute some commands which are available in /bin/ and /usr/local/bin/, So to remove those permissions and to restrict the user to run only particular set of commands, following steps shall be useful.

1. Create the restricted shell.

# cp /bin/bash /bin/rbash

2. Modify the target user for the shell as restricted shell

While creating user:

# useradd -s /bin/rbash localuser

For existing user:

# usermod -s /bin/rbash localuser

For more detailed information on this, please check the KBase Article 8349

Then the user localuser is chrooted and can't access the links outside his home directory /home/localuser

3. Create a directory under /home/localuser/, e.g. programs

# mkdir /home/localuser/programs

4. Now if you check, the user localuser can access all commands which he/she has allowed to execute. These commands are taken from the environmental PATH variable which is set in /home/localuser/.bash_profile. Modify it as follows.

# cat /home/localuser/.bash_profile
# .bash_profile # Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$HOME/programs
export PATH

Here the PATH variable is set to ~/programs directory, as /usr/local/bin is binded to /home/username/bin and /bin is binded to /home/username/bin so replacing that.

5. Now after logging with the username localuser, user cant run a simple command too. The output will be like this,

[localuser@example ~]$ ls
-rbash: ls: command not found
[localuser@example ~]$ less file1
-rbash: less: command not found
[localuser@example ~]$ clear
-rbash: clear: command not found
[localuser@example ~]$ date
-rbash: date: command not found
[localuser@example ~]$ ping redhat.com
-rbash: ping: command not found

6. Now create the softlinks of commands which are required for user localuser to execute in the directory /home/localuser/programs

# ln -s /bin/date /home/localuser/programs/
# ln -s /bin/ls /home/localuser/programs/
# ll /home/localuser/programs/
total 8
lrwxrwxrwx 1 root root 9 Oct 17 15:53 date -> /bin/date
lrwxrwxrwx 1 root root 7 Oct 17 15:43 ls -> /bin/ls

Here examples of date and ls commands has been taken

7. Again login with user localuser and try to execute the commands.

[localuser@example ~]$ date
Mon Oct 17 15:55:45 IST 2011
[localuser@example ~]$ ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9 programs
[localuser@example ~]$ clear
-rbash: clear: command not found

8. One more step can be added to restrict the user for making any modifications in their .bash_profile , as users can change it.

Run the following command to make the user localuser's .bash_profile file as immutable so that root/localuser can't modify it until root removes immutable permission from it.

# chattr +i /home/localuser/.bash_profile

To remove immutable tag,

# chattr -i /home/localuser/.bash_profile

Make file .bash_profile as immutable so that user localuser can't change the environmental paths.

centos限制用户使用部分命令的更多相关文章

  1. centos的用户管理相关命令所在的包

    用户管理命令是指:useradd userdel  groupadd groupdel 这些 这些命令出自一个叫 shadow-utils 的包. 对于配置文件 /etc/shadow ,则来自一个叫 ...

  2. Linux实战案例(4)CentOS清除用户登录记录和命令历史方法

    CentOS清除用户登录记录和命令历史方法 清除登陆系统成功的记录[root@localhost root]# echo > /var/log/wtmp //此文件默认打开时乱码,可查到ip等信 ...

  3. CentOS 7 用户怎样安装 LNMP(Nginx+PHP+MySQL)

    关于 Nginx (发音 “engine x”)这是一款免费.开源.高效的 HTTP 服务器,Nginx是以稳定著称,丰富的功能,结构简单,低资源消耗.本教程演示如何在CentOS 6.5服务器(适用 ...

  4. CentOS 7 用户账户配置

    说明: 1.这篇博文记录的是CentOS 7 用户账户的配置,包括添加用户.添加用户组.删除用户.删除用户组等.其中包括分析用户的配置文件.目录以及对安全的思考. 2.用户配置方面CentOS 7与以 ...

  5. centos单用户模式:修改ROOT密码和grub加密

    centos单用户模式:修改ROOT密码和grub加密 CentOSLinux网络应用配置管理应用服务器  Linux 系统处于正常状态时,服务器主机开机(或重新启动)后,能够由系统引导器程序自动引导 ...

  6. CentOS修改用户密码方法

    CentOS修改用户密码方法 CentOS修改用户密码方法 1. 普通用户 a. 获取超级用户root权限 命令:su或者su -或者su - root b. passwd 用户名 2. 超级用户 a ...

  7. Centos硬盘IO性能检测命令iostat[转]

    Centos硬盘IO性能检测命令iostat[转] 在Linux下频繁存取文件后,物理内存会很快被用光,当程序结束后,内存不会被正常释放,而是一直作为caching.这个问题,貌似有不少人在问,不过都 ...

  8. centos的用户、组权限、添加删除用户等操作的详细操作命令

    1.Linux操作系统是多用户多任务操作系统,包括用户账户和组账户两种 细分用户账户(普通用户账户,超级用户账户)除了用户账户以为还 有组账户所谓组账户就是用户账户的集合,centos组中有两种类型, ...

  9. CentOS 修改用户密码

    CentOS 修改用户密码 1.普通用户 ①获取超级用户root权限 命令:su 或者 su- 或者 su -root ②输入命令: passwd 用户名 ③输入新密码 2.超级用户 ①打开syste ...

随机推荐

  1. 黄聪:JQUERY的datatables插件,Date range filter时间段筛选功能

    需配合moment插件实现:http://momentjs.com/ 演示:http://live.datatables.net/zuciyawi/1/edit HTML代码 <!DOCTYPE ...

  2. 【git】之常用命令

    再使用git过程常用的命令在6-10左右,但是如果你想精通git那么需要记住的命令在80左右, 下面看这张图,我们了解一下git的概念的常用操作! Workspace:工作区(例如eclipse的工作 ...

  3. Spring-framework应用程序启动loadtime源码分析笔记(二)——@Transactional

    @Transactional标识类或方法,使方法被执行时使用事务方式执行,这里只讨论PROXY方法增强方法.使用@EnableTransactionManagement,默认model=AdviceM ...

  4. linux一些基本知识

    一.linux i386是32位的,amd64是64位(一般情况不限intel或者amd)       server是服务器版,desktop是桌面版 Desktop是社区开源版,拥有一些新功能新软件 ...

  5. 中级 jQuery 了解

    初级阶段的知识已经结束:中级要接触的东西:jQuery  php  css3  移动端: get Context("2d")   2d画布: draw Image()     绘制 ...

  6. word搜狗输入失效切换方法

  7. win7 没有权限使用网络资源

    局域网下同一工作组电脑无法访问 提示"....没有权限使用网络资源...." 一.组策略 win + R 输入gpedit.msc并回车,打开本地组策略编辑器 按如下展开 计算机配 ...

  8. React 懒加载组件

    //组件第一次初始化的时候加载. import React, {PropTypes} from 'react'; //import AppComposer from './views/App/AppC ...

  9. Vue百度搜索

    <!DOCTYPE html><html lang="en"><head> <meta charset="GBK"&g ...

  10. 动态添加XtraTabControl的page页和子窗体

    using System; using System.Collections.Generic; using System.Linq; using System.Reflection; using Sy ...