{"id":211324,"date":"2021-03-25T15:00:00","date_gmt":"2021-03-25T12:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/"},"modified":"2021-03-25T15:00:00","modified_gmt":"2021-03-25T12:00:00","slug":"how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/","title":{"rendered":"#How to Use Restricted Shell to Limit What a Linux User Can Do"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3c885685283\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3c885685283\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Restricted_Shells\" >Restricted Shells<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Restricted_Bash\" >Restricted Bash<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Restricting_a_User\" >Restricting a User<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Tightening_the_Restrictions\" >Tightening the Restrictions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Restricting_Existing_Users\" >Restricting Existing Users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Restricting_Scripts\" >Restricting Scripts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/#Remember_Houdini\" >Remember Houdini<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Use Restricted Shell to Limit What a Linux User Can Do&#8221;<\/strong><\/p>\n<div>\n<figure style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-442612 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2019\/09\/stock-lede-linux-see-attribution.png\" alt=\"A terminal window on a Linux system.\" width=\"650\" height=\"300\" data-credittext=\"Fatmawati Achmad Zaenuri\/Shutterstock\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-vector\/linux-interface-screen-notebook-world-map-321627716\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-vector\/linux-interface-screen-notebook-world-map-321627716\">Fatmawati Achmad Zaenuri\/Shutterstock<\/a><\/span><\/figcaption><\/figure>\n<p>A restricted shell limits what a user account can do on Linux. A restricted user cannot change their directory, and you control which commands they have access to. Here\u2019s how to set up a restricted shell on Linux.<\/p>\n<h2 id=\"restricted-shells\"><span class=\"ez-toc-section\" id=\"Restricted_Shells\"><\/span>Restricted Shells<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A restricted shell isn\u2019t a different shell. It\u2019s a different mode of a standard shell. The\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.gnu.org\/software\/bash\/\">Bash<\/a>,\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/www.kornshell.com\/\">Korn<\/a>,\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/fishshell.com\/\">Fish<\/a>, and other shells can all be started in restricted shell mode. We\u2019ll be using Bash in this article, but the same principles <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly to the other shells.<\/p>\n<p>Because restricted shells are just another way of using your standard shell, they are easy to set up. There\u2019s nothing to install, and they\u2019re available wherever Linux is.<\/p>\n<p>Restricted shells can be applied to scripts, too. That ensures that any damage they may cause if they\u2019ve been written incorrectly is limited to the confines of their restricted world and that they don\u2019t have access to your entire computer.<\/p>\n<p>Be aware, though, that restricted shells are not completely escape-proof. Someone with enough knowledge can escape a restricted shell. They\u2019re great for putting safe boundaries on a casual user, but don\u2019t rely on restricted shells for any real-world security on a production system.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>What&#8217;s the Difference Between Bash, Zsh, and Other Linux Shells?<\/em><\/strong><\/p>\n<h2 id=\"restricted-bash\"><span class=\"ez-toc-section\" id=\"Restricted_Bash\"><\/span>Restricted Bash<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When you run Bash as a restricted shell, the user has some capabilities removed from them. Specifically, the user <em>cannot<\/em>:<\/p>\n<ul>\n<li>Use <code>cd<\/code> to change the working directory.<\/li>\n<li>Change the values of the <code>$PATH<\/code> , <code>$SHELL<\/code> , <code>$BASH_ENV<\/code> , or <code>$ENV<\/code> environmental variables (but they can read the current values).<\/li>\n<li>Read or change <code>$SHELLOPTS<\/code> shell environmental options.<\/li>\n<li>Redirect the output of a command.<\/li>\n<li>Invoke commands that require a path to locate them. That is, you can\u2019t issue a command that has one or more forward slashes \u201c<code>\/<\/code>\u201d in it.<\/li>\n<li>Invoke <code>exec<\/code> to substitute a different process for the shell.<\/li>\n<li>Use any of the restricted features in a script.<\/li>\n<\/ul>\n<p>You can invoke a restricted Bash shell by using the <code>-r<\/code> (restricted) option. Trying to do a simple task like changing the working directory is forbidden. A terse message tells you that <code>cd<\/code> is restricted.<\/p>\n<pre>bash -r<\/pre>\n<pre>cd Documents<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718082\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/1-2.png\" alt=\"\" width=\"646\" height=\"122\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The Bash shell can also detect when it has been invoked using \u201crbash\u201d instead of \u201cbash.\u201d This causes it to start as a restricted shell, too. This provides a convenient way to set the default shell for a particular user, which we\u2019ll use soon.<\/p>\n<p>If we use the <code>whereis<\/code> command on Ubuntu to look for the <code>rbash<\/code> files, we\u2019ll see that the executable is in the \u201cusr\/bin\u201d directory. The man page is in \u201c\/usr\/share\/man\/man1\u201d directory.<\/p>\n<p>Using the <code>ls<\/code> command with the <code>-l<\/code> (long) option reveals that <code>rbash<\/code> is actually a symbolic link to <code>bash<\/code> .<\/p>\n<pre>whereis rbash<\/pre>\n<pre>ls -l \/usr\/bin\/rbash<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718084\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/2-1.png\" alt=\"\" width=\"646\" height=\"123\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>On Manjaro and Fedora, the <code>rbash<\/code> symbolic link had to be created. This works on both distributions:<\/p>\n<pre>whereis rbash<\/pre>\n<pre>sudo ln -s \/bin\/bash \/bin\/rbash<\/pre>\n<pre>whereis rbash<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718107\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/2a.png\" alt=\"\" width=\"646\" height=\"157\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The second time we use the <code>whereis<\/code> command, it finds <code>rbash<\/code> in the \u201c\/usr\/bin\u201d directory.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Restricting_a_User\"><\/span>Restricting a User<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let\u2019s create a new user\u00a0account named \u201cMinnie.\u201d We\u2019ll set their shell to be the restricted shell using the <code>-s<\/code> (shell) option of the <code>useradd<\/code> command. We\u2019ll also set the account\u2019s password\u00a0using the<code>passwd<\/code>\u00a0command, and we\u2019ll create a home folder for them.<\/p>\n<p>The <code>-p<\/code> (parents) flag in the <code>mkdir<\/code> command tells <code>mkdir<\/code> to create the target directory and any parent directories that it needs to create, too. So by creating the \u201c\/home\/minnie\/bin\u201d directory, we create the \u201c\/home\/minnie\u201d directory at the same time.<\/p>\n<pre>sudo useradd minnie -s \/bin\/rbash<\/pre>\n<pre>sudo passwd minnie<\/pre>\n<pre>sudo mkdir -p \/home\/minnie\/bin<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718239\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/3-1.png\" alt=\"\" width=\"646\" height=\"167\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>When minnie logs in, she will be running in a restricted shell.<\/p>\n<pre>cd<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718247\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/4-1.png\" alt=\"\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>She cannot invoke commands that need to include a forward slash \u201c<code>\/<\/code>\u201c:<\/p>\n<pre>\/usr\/bin\/ping<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718249\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/5-1.png\" alt=\"\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>However, she can still execute commands that are found in the path.<\/p>\n<pre>ping<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718250\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/6-1.png\" alt=\"\" width=\"646\" height=\"247\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>That\u2019s not the behavior you might have expected, and it certainly isn\u2019t what we want. To tighten the restrictions further, we need to change the path that minnie\u2019s shell will use to look for commands.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Tightening_the_Restrictions\"><\/span>Tightening the Restrictions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When we created minnie\u2019s home directory \u201c\/home\/minnie\u201d, we also created a \u201c\/home\/minnie\/bin\u201d directory. This is where that directory comes into play.<\/p>\n<p>We\u2019re going to edit minnie\u2019s \u201c.bash_profile\u201d file and set her path to point to that directory only. We\u2019ll also restrict minnie\u2019s \u201c.bash_profile\u201d file so that only root can edit it. That means that no other user can edit that file and change her path.<\/p>\n<pre>sudo gedit \/home\/minnie\/.bash_profile<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718279\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/7-1.png\" alt=\"\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Either edit the existing \u201cPATH=\u201d or add the following line:<\/p>\n<pre>PATH=$HOME\/bin<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718280\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/8.png\" alt=\"\" width=\"646\" height=\"117\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Save the file. We\u2019ll <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/man7.org\/linux\/man-pages\/man1\/chown.1.html\">change the owner of the file<\/a> to root using the <code>chown<\/code> command and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/man7.org\/linux\/man-pages\/man1\/chmod.1.html\">change the file permissions<\/a> using the\u00a0<code>chmod<\/code>\u00a0command. Only the root user will be able to edit the file.<\/p>\n<pre>sudo chown root:root \/home\/minnie\/.bash_profile<\/pre>\n<pre>sudo chmod 755 \/home\/minnie\/.bash_profile<\/pre>\n<pre>ls -l \/home\/minnie\/.bash_profile<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718283\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/11-1.png\" alt=\"\" width=\"646\" height=\"132\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The next time user minnie logs in, her path points to a single folder.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718281\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/9-1.png\" alt=\"\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Our restricted user minnie can only use Bash built-in commands like <code>echo<\/code>, <code>alias<\/code>, and <code>logout<\/code>. She can\u2019t even use <code>ls<\/code>!<\/p>\n<pre>ls<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718286\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/12-1.png\" alt=\"\" width=\"646\" height=\"122\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We\u2019ll need to slacken our stranglehold a little if we want them to be able to do anything useful at all. We\u2019ll create some symbolic links from minnie\u2019s \u201cbin\u201d directory to the commands that we want minnie to be able to use.<\/p>\n<pre>sudo ln -s \/bin\/ls \/home\/minnie\/bin<\/pre>\n<pre>sudo ln -s \/bin\/top \/home\/minnie\/bin<\/pre>\n<pre>sudo ln -s \/bin\/uptime \/home\/minnie\/bin<\/pre>\n<pre>sudo ln -s \/bin\/pinky \/home\/minnie\/bin<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718287\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/14-1.png\" alt=\"\" width=\"646\" height=\"132\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>When minnie next logs in, she\u2019ll find that she can use the Bash built-in commands, plus those commands that have been linked to.<\/p>\n<pre>ls<\/pre>\n<pre>pinky dave<\/pre>\n<pre>uptime<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718289\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/15-1.png\" alt=\"\" width=\"646\" height=\"197\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<h2 id=\"commands\"><span class=\"ez-toc-section\" id=\"Restricting_Existing_Users\"><\/span>Restricting Existing Users<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We created minnie as a new user. To <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/man7.org\/linux\/man-pages\/man8\/usermod.8.html\">change the shell of an existing<\/a> user, we can use the <code>-s<\/code> (shell) option of the <code>usermod<\/code> command.<\/p>\n<pre>sudo usermod -s \/bin\/rbash mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-718292 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/16-1.png\" alt=\"\" width=\"645\" height=\"55\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You can use the\u00a0<code>less<\/code> command on the \u201c\/etc\/passwd\u201d file to quickly see what shell is set as a user\u2019s default shell.<\/p>\n<pre>less \/etc\/passwd<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718293\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/17-1.png\" alt=\"\" width=\"644\" height=\"55\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We can see that user mary will use the restricted shell when she next logs in.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718296\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/18-2.png\" alt=\"\" width=\"646\" height=\"382\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Remember to apply the other changes to restricts their <code>$PATH<\/code> environment variable and to set the commands you want the user mary to be able to execute.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Restricting_Scripts\"><\/span>Restricting Scripts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A regular, unrestricted user can launch scripts that are executed in a restricted shell. Copy the following lines and paste them into an editor. Save the file as \u201crestricted.sh\u201d and close the editor.<\/p>\n<pre>#!\/bin\/bash&#13;\n&#13;\n# script starts in normal Bash shell&#13;\necho \"## In UNrestricted mode! ##\"&#13;\n&#13;\necho&#13;\necho \"Current directory: `pwd`\"&#13;\necho \"Changing directory\"&#13;\ncd \/usr\/share&#13;\necho \"Now in directory: `pwd`\"&#13;\necho \"Changing to home directory\"&#13;\ncd ~&#13;\necho \"Now in directory: `pwd`\"&#13;\n&#13;\n# Setting restricted mode&#13;\nset -r&#13;\n&#13;\necho&#13;\necho \"## In restricted mode! ##\"&#13;\n&#13;\necho&#13;\necho \"Current directory: `pwd`\"&#13;\necho \"Changing directory to \/home\/\"&#13;\ncd \/home&#13;\necho \"Still in directory: `pwd`\"&#13;\n&#13;\necho&#13;\necho \"Trying to start another shell\"&#13;\n\/bin\/bash&#13;\n&#13;\necho&#13;\necho \"Trying to redirect command output\"&#13;\nls -l $HOME &gt; my_files.txt&#13;\ncat my_files.txt&#13;\necho&#13;\n&#13;\nexit 0<\/pre>\n<p>We need to use the <code>chmod<\/code> command with the <code>+x<\/code> (execute) flag to make the script executable.<\/p>\n<pre>chmod +x restricted.sh<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718315\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/20.png\" alt=\"\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The first part of the script runs in a normal shell.<\/p>\n<pre>.\/restricted.sh<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718316\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/21.png\" alt=\"\" width=\"646\" height=\"167\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The second portion of the script\u2014the bit after the \u201cset -r\u201d line\u2014runs in a restricted shell.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718317\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2021\/03\/22.png\" alt=\"\" width=\"642\" height=\"322\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>None of the attempted actions succeed in the restricted portion of the script.<\/p>\n<p>An entire script can be made to run in a restricted shell by adding <code>-r<\/code> to the first line:<\/p>\n<pre>!#\/bin\/bash -r<\/pre>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Remember_Houdini\"><\/span>Remember Houdini<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Restricted shells are useful, but not completely infallible. A sufficiently skilled user may be able to escape them. But when used judiciously, they are a useful way to establish a set of limitations for a particular account.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/718074\/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Use Restricted Shell to Limit What a Linux User Can Do&#8221; Fatmawati Achmad Zaenuri\/Shutterstock A restricted shell limits what a user account can do on Linux. A restricted user cannot change their directory, and you control which commands they have access to. Here\u2019s how to set up a restricted shell on Linux. Restricted&#8230;<\/p>\n","protected":false},"author":1,"featured_media":211325,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2019\/09\/stock-lede-linux-see-attribution.png?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-211324","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/211324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=211324"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/211324\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/211325"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=211324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=211324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=211324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}