Follow the steps below to create a user with restricted acccess to shell commands when the user logins to the server. Here, user Jon will only be able to start the Apache webserver. The steps are detailed below. Each step has the instructions and the commands to be performed from the command shell. It is requierd that you have the fundamental knowldge of how to use the Linux OS. The steps below will work on a redhat-based system as well as Ubuntu. Where Ubuntu commands differ from that of Redhat systems, it is indicated so.
#sudo su -
#cp /bin/bash /bin/mbash
# useradd -s /bin/mbash jon
# mkdir /home/jon/commands
On Redhat-based server:
# cat /home/jon/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
readonly PATH=$HOME/commands
export PATH
On ubuntu server, you need to create a .profile file with the following content at /home/jon/.profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi
readonly PATH=$HOME/commands
export PATH
6. Let us now make user jon to be able to start the Apache server. Let us create softlinks which are required for user jon to execute commands in the directory /home/jon/commands. You can add any other commands you want the user to have access to.
On Redhat-based server:
# ln -s /usr/sbin/service /home/jon/commands/
# ln -s /usr/bin/sudo /home/jon/commands/
# ll /home/jon/commands/
total 0
lrwxrwxrwx 1 root root 17 May 18 17:03 service -> /usr/sbin/service
lrwxrwxrwx 1 root root 13 May 18 17:03 sudo -> /usr/bin/sudo
On Ubuntu:
# ln -s /usr/service /home/jon/commands/
# ln -s /usr/sudo /home/jon/commands/
# ln -s /usr/nano /home/jon/commands/
# ln -s /usr/vim /home/jon/commands/
# ln -s /usr/cd /home/jon/commands/
ln -s /usr/pwd /home/jon/commands/
# ll /home/jon/commands/
usermod -aG wheel jon
# chattr +i /home/jon/.bash_profile
Change password:
# passwd jon
Login as Jon and start/stop/status httpd:
# sudo su jon
# sudo servive httpd status
# sudo service httpd start
# servive httpd status
Here we learned how to create a user with restricted access to the shell. This is useful when creating and granting ccess to different external people that may need access top your Linux server.