Possible to limit user's ability to execute predefined list of commands?

Possible to limit user's ability to execute predefined list of commands?

edited September 2012 in General

Was wondering if it was at all possible to limit a particular user to be able to only issue a predefined list of commands.

For example, I guess the simplest explanation of this would be setting up the user 'monitor' on your server. So when user 'monitor' logs in, the only commands that could be ran would htop, free -m, ps -aux, etc. Basically just basic commands that are used to monitor available resources or see bottlenecks and system health.

I'm asking, only because I think it would be good for staff that may not necessarily 'need' (or you do not want to give or trust with) full root access or the ability to issue commands that can actually change things on the system. Rather, this way they could just log in and view things as needed without the need of having some web based script showing these things.

I know how to give certain users full ROOT privileges, but I have no idea how to give a user just a very small list privileges of doing pretty much nothing other than checking some very basic things.

vpsBoard.com - Now with over 450 members! A friendly community with active discussion. Come join us!

IRC.FREENODE.NET #vpsBoard - Drop by and say, 'Hello'.

Comments

  • rajprakashrajprakash Member
    edited September 2012

    File permissions, user/group ownership, and command paths. A combination of those 3 will get you the desired result.

    Example : Create a /usr/rbin (restricted binaries), copy only those executables you want to, set the right permissions, groups, and paths.

    Remove /usr/bin/ and /usr/sbin from the desired path. Change permissions and ownership of those directories. Now those executable are not accessible by your restricted user.

    A caution is that there are plenty of executables in those /usr/bin/ and /usr/sbin directories that your user will need access to to simply to run the shell. So be careful what you do and don't give access to.

    Signatures are to identify who I am. I'm me. Who the hell are you?

    Thanked by 1[Deleted User]
  • You can also consider specifying allowed commands in ~/.ssh/authorized_keys, and/or /etc/sudoers.

    Thanked by 1[Deleted User]
  • lshell is what you're looking for

    Thanked by 1[Deleted User]
Sign In or Register to comment.