1. Introduction
More often than not, as system administrators, we may block access to specific commands for a user on the Linux system. This can minimize the risk of unauthorized actions, prevent accidental misuse, and enhance overall system integrity.
In this tutorial, we’ll elucidate various ways of blocking access to particular commands for a user in Linux.
2. Access Restriction Using .bashrc Configuration
Usually, the .bashrc file is a script that runs each time a user starts an interactive Bash shell session. While it’s primarily used for configuring the shell environment, it can also be leveraged for access control.
To implement these restrictions, we’ll be adding a couple of statements to deny access to the commands. Ensure that the user has appropriate permission to edit the .bashrc configuration file. In the below illustration, we’re blocking the execution of the mkdir command. Also, the readonly command in the configuration makes the function immutable:
$ vi ~/.bashrc
...
... output truncated ...
...
/bin/mkdir() {
echo "Permission denied: You don't have the privilege to execute the mkdir command."
}
mkdir() {
echo "Permission denied: You don't have the privilege to execute the mkdir command."
}
./mkdir() {
echo "Permission denied: You don't have the privilege to execute the mkdir command."
}
readonly -f /bin/mkdir
readonly -f mkdir
readonly -f ./mkdirAfter adding the above configuration, whenever the user logs in to the new session and tries to execute the mkdir command, it throws a “permission denied message”.
Again, this .bashrc provides a quick and user-specific approach, but it may not be as secure or comprehensive as other methods:
$ mkdir -p /home/baeldung/sriram
Permission denied: You don't have the privilege to execute the mkdir command.3. Securing Access with lshell Management
Alternatively, we can also use lshell (limited shell) to provide limited access to users. It is also considered a standard approach and is designed to restrict command or directory access to specific users.
3.1. Installation of lshell
There are multiple ways of installing the lshell tool in Linux distributions. The default option is to use the apt command:
$ sudo apt update -y && sudo apt upgrade -y
$ sudo apt install lshell -yAlso, we can install using source code through a git clone and execute setup.py in –no-compile mode:
$ git clone https://github.com/ghantoos/lshell.git
Cloning into 'lshell'...
...
... output truncated ...
...
Resolving deltas: 100% (1096/1096), done.
$ cd lshell/; sudo python3 setup.py install --no-compile --install-scripts=/usr/bin/
from distutils.core import setup
running install
running build
creating build/lib/lshell
copying lshell/utils.py -> build/lib/lshell
...
... output truncated ...
...
Writing /usr/local/lib/python3.10/dist-packages/lshell-0.9.18.egg-infoHere, the lshell is installed successfully in the /usr/bin/lshell path:
$ which lshell
/usr/bin/lshell3.2. lshell Configuration
Configuring lshell involves editing its configuration file to define the allowed commands, paths, and other user restrictions. We can open the configuration file using any text editor. Further, define the restricted command using forbidden tags and other optional tags like warning_counter and strict:
$ grep -A 5 "sriram" /etc/lshell.conf
[sriram]
forbidden : ['mkdir','df']
warning_counter : 2
strict : 0Lastly, save the configuration file and change the shell for the user to lshell using the chsh command to enforce restriction changes:
$ sudo chsh -s /usr/bin/lshell sriram3.3. Verification
Now, we can log in using the specific user credentials and check whether the configured mkdir and df commands are blocked for this user space:
$ ssh [email protected]
sriram@localhost's password:
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
sriram:~$ mkdir baeldung
*** forbidden syntax: mkdir baeldung
sriram:~$ df
*** forbidden syntax: df4. Conclusion
In conclusion, implementing access controls by blocking access to particular commands for users in a Linux environment is critical to ensuring system security and integrity. Through various methods, the simplest is using .bashrc, whereas the standard approach is using lshell. Using these methods, system administrators can define and enforce restrictions on user activities.
These measures help prevent the unauthorized or accidental execution of sensitive commands, mitigating the risk of security breaches and ensuring that users operate within prescribed boundaries.