1

How can I limit the scope of executable commands a linux user can run?

For example, I only want user to be able to run the ls command and nothing else. If tried, for example to run cat, linux would throw an error or return null.

I've looked into the alias command to set a predefined list of custom commands, but this doesn't limit the user from running other commands. I actually would love to set alias commands then limit the scope to just those.

I've also looked into this documentation on confining users, but still unsure about how to go about it.

Scope: I'm using a service account to run ssh commands within our PHP app. I want to limit the commands for that service account to prevent a situation where someone injects commands into the ssh_exec(); - such as ls and inject | some command

I think I'll try this: https://github.com/ghantoos/lshell

George Ortiz
  • 13
  • 4
  • 1
    Can you tell us more about why you think you need to do this? There are several different approaches that may apply here, but you need to give us more context so we can advise you. Or are you just looking for a getting started guide to selinux? – Zoredache Jan 23 '14 at 23:33
  • See above Scope – George Ortiz Jan 23 '14 at 23:50

3 Answers3

2

You can also bind commands to specific ssh keys in the authorized keys file. 

from="host.com",command="/bin/ls" ssh-dss <SSH PUBLIC KEY>

What this does is restrict access to the account using a certain ssh public to only run a specific command from a specific host. See

man sshd

for more options.

Fred the Magic Wonder Dog
  • 2,095
  • 12
  • 17
1

I would probably engage this situation by writing a wrapper script. There is a part solution available here for you to begin with, please read up and see if you can't make it from this link.

https://unix.stackexchange.com/questions/92049/restrict-standard-users-to-run-a-command-with-a-specific-argument

I know this specifies the use of UID, if you need this for several users, think in terms of using GID instead and putting all these kinds of users in that very same group.

Cheers and good luck!

Community
  • 1
user185212
  • 33
  • 1
  • 8
0

If you want to limit command executions of SSH users, you can use ChrootDirectory introduced in OpenSSH 4.9p1

You will also find a statically-linked binary of busybox useful in setting up a chroot environment. (The above article pays a lot of effort to set up a complete chroot environment.)

Community
  • 1
nodakai
  • 311
  • 3
  • 8