Creating a Restricted Environment Created by Pete Nesbitt pete@linux1.ca October 27, 2003 This document is intended to be a guide for creating a very restricted user account that can be used for a number of different purposes. It's prime function is to allow access to a system by an untrusted user that needs to perform a specific predefined task. This is a bit of a hack to say the least and I know there are better ways, such as rbash, but there is some problem with rbash in Red Hat so I used bash -r, and then a whole lot of lockdown. Here is the file overview, with permissions listed afterwards: The restricted users home contains: FILE 1, ".bashrc" (note, only one active line) # .bashrc # User specific aliases and functions # Source global definitions #if [ -f /etc/bashrc ]; then # . /etc/bashrc #fi #Resticted Shell set -r FILE 2: ".bash_profile" # remove global environment /usr/bin/env - # set restricted Path PATH=/home/some_user/bin # local bashrc sets restricted shell # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs #PATH=$PATH:$HOME/bin export PATH unset USERNAME FILE 3: ".bash_logout" (just clears screen on exit) # ~/.bash_logout clear Create a /home/some_user/bin dir and add to it: clear (copy of /usr/bin/clear) ssh (copy of /usr/bin/ssh) Create /home/some_user/.ssh and add to it: known_hosts -you should populate this with the keys for the target system. There may be some auto generated files such as .kde or .gnome in the users home dir, you can remove them if you like, but they will never be accessed. FILE OWNERSHIP AND PERMISSIONS: This is the most important step in creating the restricted environment. Here we remove the users chance to add her own binaries or scripts. All files are to be owned by a different, non-privileged, non login account such as "nobody". Use "chown -R nobody:nobody /home/some_user" to accomplish this. Set the following permissions: /home: dr-x--x--x 5 nobody nobody 4096 Oct 24 11:38 some_user /home/some_user: -rw-r--r-- 1 nobody nobody 24 Oct 27 18:34 .bash_logout -rw-r--r-- 1 nobody nobody 318 Oct 27 18:33 .bash_profile -rw-r--r-- 1 nobody nobody 152 Oct 27 18:33 .bashrc dr-x--x--x 2 nobody nobody 4096 Sep 18 10:52 .ssh dr-x--x--x 2 nobody nobody 4096 Sep 18 10:17 bin /home/some_user/.ssh: -r--r--r-- 1 nobody nobody 230 Sep 18 10:52 known_hosts /home/some_user/bin: -r-x--x--x 1 nobody nobody 3348 Sep 18 10:17 clear -r-x--x--x 1 nobody nobody 219932 Sep 18 10:17 ssh As you can see, we have created an environment where the restricted user can not see what is availble, cannot write, over-write or errase files, nor can they upload anything. they cannot leave their home directory, not even to look in their bin. They can simply ssh out (or to local host) and they can clear the screen (if all their attempts get too messy looking :) This account is now a good candidate to use as a single purpose task, say to ssh to a more guarded system. You may want to see my notes on restricting inbound SSH access to a single remote host.