Restricted Shell

Os, Scripting, System
Page content

Restricting User to Script

Let’s assume you have some Users around and they should be able to run certain Scripts. These Scripts do various things, login to some systems, perform task, get data from an API, whatever you want. All these Actions needs Credentials which must be available to the script, although they are not part of the Script. They could be Provides via OS Env, .env File, Encrypted Password Store or whatever. But if the Script is able to access these Credentials, a logged in User would could access it also.

Found a possiblity to restrict a Users Shell to a Script. And if the Script ends, breaks or gets interrupted, the User will logged out immediately. Sounds nice ? it does for me :)

Restricted Shell

cat <<'EOF'> /usr/local/bin/restricted_shell.sh
#!/usr/bin/env bash

# Count Processes, write to File
ps aux |wc -l |while IFS= read -r line; do echo "$(date +'%Y-%m-%d %H:%M:%S') $line"; done |tee -a output.log

# Log out the user immediately when the script exits (regardless of the exit status)
kill -9 $PPID
EOF

chmod 755 /usr/local/bin/restricted_shell.sh

Update Profile

cat <<'EOF'> /etc/profile

### Alias to Restrict / Unrestrict Support User
alias support_restrict="usermod -s /usr/local/bin/restricted_shell.sh support"
alias support_unrestrict="usermod -s /bin/bash support"
EOF

source /etc/profile or logout/login to make the alias active

Add Support User

this User will get’s the restricted Shell

adduser support

apply restricted Shell

root@yourbox:# support_restrict

test the restricted Shell

user@planet:~> ssh support@restrictedserver
Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64

Welcome to the Restricted Server

Last login: Thu Jul 20 21:30:57 2023 from 192.168.x.x
2023-07-20 21:47:39 10.88

Connection to 192.168.x.x closed by remote host.
user@planet:~>

as you can see, the following Line was build by the restricted Shell and written to output.log

2023-07-20 21:47:39 10.88

remove Restricted Shell

support_unrestrict

Login again

user@plane:~> ssh support@restrictedserver
Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64

Welcome to the Restricted Server

Last login: Thu Jul 20 21:47:38 2023 from 192.168.x.x
support@restriectedserver:~$
support@restriectedserver:~$ pwd
/home/support
support@restriectedserver:~$ exit
logout
user@planet:~>
Any Comments ?

sha256: 336d69a2e45a962d773ba7af2e0a3ab9004cb86c7a27be6fc15fc950125ba4b7