Você pode forçar o usuário a usar um shell restrito .
Opção nº 1 - Como configurar a conta de usuário para usar um Shell restrito (rssh)
Opção # 2 - Aqui é uma descrição feita pelo RedHat como fazer isso em RHEL
Disclaimer : This is just a hack, not recommended for Actual Production Use
The normal user has been given permission to execute some commands which are available in /bin/ and /usr/local/bin/, So to remove those permissions and to restrict the user to run only particular set of commands, following steps shall be useful.
Create the restricted shell.
# cp /bin/bash /bin/rbashModify the target user for the shell as restricted shell
While creating user:
# useradd -s /bin/rbash localuserFor existing user:
# usermod -s /bin/rbash localuserFor more detailed information on this, please check the KBase Article 8349
Then the user localuser is chrooted and can't access the links outside his home directory /home/localuser
Create a directory under /home/localuser/, e.g. programs
# mkdir /home/localuser/programsNow if you check, the user localuser can access all commands which he/she has allowed to execute. These commands are taken from the environmental PATH variable which is set in /home/localuser/.bash_profile. Modify it as follows.
# cat /home/localuser/.bash_profile # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$HOME/programs export PATHHere the PATH variable is set to ~/programs directory, as /usr/local/bin is binded to /home/username/bin and /bin is binded to /home/username/bin so replacing that.
Now after logging with the username localuser, user cant run a simple command too. The output will be like this,
[localuser@example ~]$ ls -rbash: ls: command not found [localuser@example ~]$ less file1 -rbash: less: command not found [localuser@example ~]$ clear -rbash: clear: command not found [localuser@example ~]$ date -rbash: date: command not found [localuser@example ~]$ ping redhat.com -rbash: ping: command not foundNow create the softlinks of commands which are required for user localuser to execute in the directory /home/localuser/programs
# ln -s /bin/date /home/localuser/programs/ # ln -s /bin/ls /home/localuser/programs/ # ll /home/localuser/programs/ total 8 lrwxrwxrwx 1 root root 9 Oct 17 15:53 date -> /bin/date lrwxrwxrwx 1 root root 7 Oct 17 15:43 ls -> /bin/lsHere examples of date and ls commands has been taken
Again login with user localuser and try to execute the commands.
[localuser@example ~]$ date Mon Oct 17 15:55:45 IST 2011 [localuser@example ~]$ ls file1 file10 file2 file3 file4 file5 file6 file7 file8 file9 programs [localuser@example ~]$ clear -rbash: clear: command not foundOne more step can be added to restrict the user for making any modifications in their .bash_profile , as users can change it.
Run the following command to make the user localuser's .bash_profile file as immutable so that root/localuser can't modify it until root removes immutable permission from it.
# chattr +i /home/localuser/.bash_profileTo remove immutable tag,
# chattr -i /home/localuser/.bash_profileMake file .bash_profile as immutable so that user localuser can't change the environmental paths.