1. Overview
Linux allows more than one user at a time to access a machine’s resources. As a system administrator, it’s important to understand the different techniques that are helpful in managing these users. One of these methods is restricting a user to a single directory, which helps improve the security of our system. For instance, we’re able to prevent certain users from accessing sensitive files, so that the users can’t accidentally delete them.
In this tutorial, we’ll discuss a useful method for restricting a user to a single directory. First, we’ll explore the concept of Linux shells. Next, we’ll understand what a restricted shell is. Finally, we’ll dive into setting up a restricted shell for an existing user and also for a new user upon creation.
2. Using a Restricted Shell
The Linux shell acts as the interface between the user and the operating system. To put it differently, it’s the command line interpreter that sends our instructions to the operating system.
There are different types of shells like Bash, sh, etc., and we can use any of them in the restricted shell mode. This means that the shell will have more restrictions than its original state. In this case, we’ll use Bash to demonstrate how it works.
2.1. A Restricted Shell for an Existing User
First, let’s change the shell for an existing user francis to a restricted Bash shell:
$ sudo usermod -s /bin/rbash francis
Here, we use usermod, a command that allows an administrator to modify the properties of a user in Linux. Further, we add the -s option to instruct usermod to change the default shell for the user francis from Bash to a restricted Bash shell (rbash).
Next, we create the directory that francis will be restricted to:
$ sudo mkdir -p /home/francis/restricted
In the example above, we’ve used the mkdir command to create a directory named restricted. We notice that there are two parent directories defined, namely, home and francis respectively. To ensure these directories are also created in the process, we include the -p option.
Further, we’ll change the home directory for francis to the restricted directory:
$ sudo usermod -d /home/francis/restricted francis
Now francis can only access this directory and its child directories after logging in. The -d option instructs usermod that we’re modifying the home directory property for the user.
2.2. A Restricted Shell for a New User
In this scenario, we’re creating a new user and configuring for them a restricted shell upon creation. To achieve this, we’ll work with the useradd command:
$ sudo useradd john -s /bin/rbash
The useradd command helps add a new user john to our system while the -s option allows us to define the default shell as the restricted Bash shell (rbash).
Next, let’s define the password for john with the help of the passwd command:
$ sudo passwd john
The passwd command allows us to set the password for our user.
Now, we create the directory that john will be confined to:
$ sudo mkdir -p /home/john/restricted
Here, we’re able to create all the directories defined in the path.
Finally, we set the home directory for our user to the directory we created above:
$ sudo usermod -d /home/john/restricted john
So, the user john can only operate within the confines of the restricted directory.
3. Conclusion
In this article, we explored what a restricted shell is and how to set it up for an existing user and a new user.
We also discussed the concept of a standard Linux shell. As a result, we were able to understand some commands useful for managing users as well as their information. Now, we’re able to restrict a user to one directory.