0

Does anyone know of a way to prevent a user from running certain commands? For example, I would like to prevent users from copying data to and from the server without going through our SVN repo. (svn export vs scp)

Any ideas?

Jacob Haug
  • 170
  • 7
  • I guess **not** giving them an account on the server is not an option? – Hennes Jul 21 '12 at 00:36
  • No, we want them to be able to deploy new software/code that they have written. We just need to ensure that it goes through our repo and isn't copied to the server through other means. (SCP, RSYNC...etc) – Jacob Haug Jul 21 '12 at 00:52
  • It will be hard to limit that if you will give them full access to the server. Why not instead just write an deploy script so they have no other choice than using that ? – golja Jul 21 '12 at 03:51
  • One idea is to find a program that wraps the default shell and filters out commands. Not sure if it exists but its technically feasible. – Timothy C. Quinn Dec 12 '22 at 00:02

2 Answers2

2

You can't (reliably) prevent users from launching a specific list of commands.
They will find a way around your restrictions somehow. (Don't bother trying to figure out how - you'll never think of all the possibilities, because it's an infinite set.)

You can restrict users to only be able to run a specific list of commands. (Invoke bash with the -r flag (or hard link it to the name rbash), and refer to the "RESTRICTED SHELL" section of the bash manpage.)
This is untenable for real use - it's like asking your users to type wearing boxing gloves.
If their accounts are that crippled you may as well force them to use remotely-triggered package management tools rather than giving them shell access.

Another (more viable) option is to make the deployment area only writable by a specific UID, and force the users to use sudo to run a deployment script that deploys changes to it.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
1

On Linux (and on Mac OS being a unix-like system) you could use acl which extends the standard permissions based on "Owner User", "Owning Group User" and "Others". So you could create an extra group called eg "testers" that have disabled the execution bit for binary that you want to exclude.

http://www.techrepublic.com/blog/mac/introduction-to-os-x-access-control-lists-acls/1048

Of course that doesn't prevent users the ability to install some software on their home directory.

Here Is it possible to prevent SCP while still allowing SSH access? you have a discussion that may result useful too

HTH

Community
  • 1
sebelk
  • 682
  • 4
  • 13
  • 32