Sometimes you may need to limit user commands in Linux. This is a common requirement by system administrators to prevent unauthorized users from running key commands that can damage the system. There are several ways to restrict user commands in Linux. In this article, we will learn how to limit user commands in Linux.
How to Limit User Commands in Linux
Here are the steps to restrict user commands in Linux. We have assumed that each user has its own directory at /home/[username] and their default shell is /bin/bash.
1. Change User’s Bash to Restricted Bash
Bash allows you to run shell in restricted mode which prevents users from changing directories and making other critical changes. By default, users are logged into unrestricted bash shell. You can change the user’s shell to restricted bash shell by running the following command in terminal.
$ chsh -s /bin/rbash [username]
Once you run this command, the user with [username] will be able to work only within restricted bash shell, when they login.
2. Change Directory Permissions
Every user has their own home directory at /home/[username]. You can edit their permissions so that only the user (and root) is able to edit this directory, and not others. You can do this using the chmod command.
$ chmod 755 /home/[username]
3. Remove user’s .bashrc file
Every user has its own .bash_profile that is executed to configure that user’s initial shell command prompt is loaded. You can remove it so that users are unable to modify their default shell.
$ rm /home/[username]/.bashrc
4. Create Safe Aliases
Linux system allows you to create aliases for commands, that act like shortcuts. You can use this features to disable commands to. For this purpose, create an empty .bash_profile file.
$ vi .bash_profile
Here is an example to create alias for apt-get command which is used to download & install packages in Ubuntu/Debian systems. Add the following line to the above line for this purpose.
alias apt-get="printf ''"
In the above command, Linux will simply print an empty string when user calls apt-get command, effectively disabling it. Similarly, you can add more aliases in this file, for the commands you want to disable.
alias aptitude="printf ''" alias vi="vi -Z" alias alias="printf ''"
The last command alias alias disabled even aliasing for the user. But please add it in the end otherwise it will disable the ability to alias previous commands.
Save and close the file once you are done. Please note, once an alias has been created for a command, Linux will always use the alias, instead of the original command, until you remove it.
You can use this method to disable other commands such as ls, rm, cp, mv, etc. if you want to.
5. Disable Shell Commands
You can disable shell commands in vi by aliasing vi command to restricted mode, as mentioned above.
alias vi="vi -Z"
6. Change Ownership of .bash_profile
Also, you can change the ownership of .bash_profile so that only root users can modify it. This way users will not be able to modify their ._bash_profile file and run unauthorized commands.
$ chown root:root /home/[username]/.bash_profile
7. Remove User Permission in .bash_profile
Lastly, remove the user’s permission from .bash_profile file.
$ chmod 755 /home/[username/.bash_profile]
In this article, we have seen several ways to limit user commands in Linux. You can make a list of commands that you don’t want your users to be able to execute, and disable them on your system for those users.
Also read:
How to Backup Website to Amazon S3
How to Check MD5 Checksum of Installed Packages
How to Check Bad Sectors in HDD in Ubuntu
How to Encrypt & Decrypt Files Using OpenSSL
How to Add New SSH Key in GitHub
Related posts:
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.