Linux Systems Administration

How to Create a Restricted User in Linux

Damian Igbe, Phd
Aug. 11, 2022, 2:58 p.m.

Subscribe to Newsletter

Be first to know about new blogs, training offers, and company news.

How to Create a Restricted User in Linux

Follow the steps below to create a user with restricted acccess to shell commands when the user logins to the server. Here, user Jon  will only be able to start the Apache webserver. The steps are detailed below. Each step has the instructions and the commands to be performed from the command shell. It is requierd that you have the fundamental knowldge of how to use the Linux OS. The steps below will work on a redhat-based system as well as Ubuntu. Where Ubuntu commands differ from that of Redhat systems, it is indicated so.

  1. Become root and copy the default bash to a different file to be used by the user.
          #sudo su -
          #cp /bin/bash /bin/mbash
  1. Create the user that you want to restrict on the shell. Here we will create a user ‘jon’ with the restricted shell. When user jon login, he cannot access anything outside his home directory.
          # useradd -s /bin/mbash jon
  1. We will restict user Jon to a directory where he can only run commands from that directory. Let us create the directory. Create a directory called ‘commands’ under /home/jon/. Note that the directory can be any name, name does not matter.
          # mkdir /home/jon/commands
  1. Modify user jon’s bash profile so that he cannot access any commands except that given to him in command directory. Use vi or nano editors to open the file/home/jon/.bash_profile and change the PATH to look like the orange colour below:

On Redhat-based server:

          # cat /home/jon/.bash_profile 
        # .bash_profile 
         # Get the aliases and functions 
                if [ -f ~/.bashrc ]; then 
                    . ~/.bashrc 
                fi 
       # User specific environment and startup programs 
               readonly PATH=$HOME/commands 
                  export PATH

On ubuntu server, you need to create a .profile file with the following content at /home/jon/.profile

# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
   # include .bashrc if it exists
   if [ -f "$HOME/.bashrc" ]; then
           . "$HOME/.bashrc"
   fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
   PATH="$HOME/bin:$PATH"
fi

# set PATH so it includes user's private bin if it exists

if [ -d "$HOME/.local/bin" ] ; then
   PATH="$HOME/.local/bin:$PATH"
fi
readonly PATH=$HOME/commands
export PATH
  1. At this point user jon will be able to login with the username jon, but he won’t be able to run any command

     6. Let us now make user jon to be able to start the Apache server. Let us create softlinks which are required for user jon to execute commands in the directory /home/jon/commands. You can add any other commands you want the user to have access to.

On Redhat-based server:

# ln -s /usr/sbin/service /home/jon/commands/

# ln -s /usr/bin/sudo /home/jon/commands/

# ll /home/jon/commands/ 

total 0

lrwxrwxrwx 1 root root 17 May 18 17:03 service -> /usr/sbin/service

lrwxrwxrwx 1 root root 13 May 18 17:03 sudo -> /usr/bin/sudo

On Ubuntu:

# ln -s /usr/service /home/jon/commands/

# ln -s /usr/sudo /home/jon/commands/

# ln -s /usr/nano /home/jon/commands/

# ln -s /usr/vim /home/jon/commands/

# ln -s /usr/cd /home/jon/commands/

ln -s /usr/pwd /home/jon/commands/

# ll /home/jon/commands/ 

  1. Now add user jon to the sudoer group
 usermod -aG wheel jon
  1. Finally, restrict the user from making any modifications in their .bash_profile.
# chattr +i /home/jon/.bash_profile
  1. login as user jon and test that user jon can stop and start the Apache httpd daemon. But ensure to first create a password for user jon as follows:

Change password:

# passwd jon

Login as Jon and start/stop/status httpd:

# sudo su jon

# sudo servive httpd status

# sudo service httpd start

# servive httpd status

 

Conclusion

Here we learned how to create a user with restricted access to the shell. This is useful when creating and granting ccess to different external people that may need access top your  Linux server.

 

Zero-to-Hero Program: We Train and Mentor you to land your first Tech role