On Thu, Jun 05, 2003 at 03:41:20PM +0800, Marc Chan wrote: > Dear All, > > Can I restrict my users with shell accounts to access only specific > commands? > > example : user 1 can only access cp, rm, mv while > user 2 can access cp, rm, mv, pico and wget > and all other command are disabled.
I started hacking on a shell one time called "rash" (Restricted Access Shell). The whole point of rash was that it would chroot to the user's home directory (which they didn't own) when started, and only run binaries from a bin directory under their home directory (which they couldn't write to). When the user typed a command, any leading path was stripped and the path forced to /bin, so they couldn't run commands from elsewhere. To save space on the system, I used busybox for the binaries. I removed all process accounting type commands, and disabled job control. They could login, deal with files, and that was it. I also created an scp so that they could move files. I haven't played with it for a long time. However, a friend is doing something similar using Subterfuge. I highly recommend that you look at it, it allows even more stringent control. Unfortunately, it uses Python, but it basically allows you to plug into syscalls. It would likely do what you need. Michael -- Michael Darrin Chaney [EMAIL PROTECTED] http://www.michaelchaney.com/ -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
