Home > Shells > Linux Restricted Shell

Linux Restricted Shell

This is typical situation, you created users that were intended to stay in their /home environment, however they seem to have a knack of poking around all your server directories.

A restricted shell is a Unix shell that has been modified to allow the Unix shell user to do fewer things than a normal shell would allow him to do. Restricted shells allow you to control the user’s environment allowing only specific admin-aproved commands.

rssh behaves identically to bash with the exception that at least one of the following commands are allowed:

scp – secure copy
sftp – secure FTP
cvs – control versions system
rsync – sync filesystem
rdist – backup utility

Is available through yum in fedora and apt-get in debian. Also you can get a fresh copy from the official website (http://dragontoe.org/rssh/)

In fedora:
# yum install rssh

In Debian:
# apt-get install rssh

Now rssh is installed by default it’s configuration will lock down everything including any sort of access. We need to set up the configuration file. The default file is located at /etc/rssh.conf

For example, I only want to allow only scp and sftp to my server. Also I’m leaving some commented lines for future usage, just in case.

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

There is no rssh service and the configuration is read on the fly.

Next logical step is to add some users.

# useradd -m -d /home/sara -s /usr/bin/rssh sara

Or if the user already exists, use chmod to assign the restricted shell.

# usermod -s /usr/bin/rssh sara

Now, lets say if sara tries to connect the server with ssh or telnet a message like the following will appear.

This account is restricted by rssh.
Allowed commands: scp sftp

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.

rssh is a simple way to implement security on your server and rather than a unbreakable security measure, rssh is just the start to forge a secure server. It should be awesome if you could also include a unix jail or a custom restricting script written in your favorite programming language.

Just remember to never underestimate the ingenuity of your users.

Good luck!

Advertisements
Categories: Shells Tags:
  1. Alexwebmaster
    March 3, 2009 at 19:07

    Hello webmaster
    I would like to share with you a link to your site
    write me here preonrelt@mail.ru

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: