如何在 Linux 中限制用户命令 [英] How to limit user commands in Linux

问题描述

我在一个组中有一个用户:demo".

I have a user in a group: "demo".

我想设置这个用户只能运行 10 个命令的策略，例如 vim、nano、cd 等.

I want to set the policy that this user can run only 10 commands, like vim, nano, cd, etc.

或者，将策略设置为可以访问除 ssh 和 cat 命令之外的所有命令.

Or, set the policy to have access on all commands except ssh and cat commands.

推荐答案

有很多不同的方法可以实现这一目标.我将列出几种可能的解决方案之一.

There are lots of different ways that you could achieve this. I'm going to list one of several possible solutions.

我建议使用几个不同的保护层来防止用户运行他们不应该被允许访问的命令.这里的所有说明都假定用户有自己的 /home/[username] 目录，他们的 shell 是 /bin/bash，并且您希望他们使用他们登录系统时的 bash shell.

I would propose using several different layers of protection to prevent users from running the commands that they shouldn't be allowed to access. All of the directions here assume that users have their own /home/[username] directory, that their shell is /bin/bash, and that you would like them to use the bash shell when they log in to the system.

1. 将用户的 bash 更改为受限 bash 模式，以便他们无法更改目录(如果您的系统上没有受限 bash 模式，此链接 将帮助您并为您提供更多信息)chsh -s/bin/rbash [用户名]

1. Change the user's bash to restricted bash mode so that they can't change directories (if you don't have a restricted bash mode on your system, this link will help and give you more information) chsh -s /bin/rbash [username]

更改目录权限，以便只有用户可以编辑其主目录的内容

Change directory permissions so that only the user can edit the contents of their home directory

chmod 755/home/[用户名]

1. 删除用户的.bashrc文件

rm/home/[用户名]/.bashrc 此站点 提供了更多信息，说明为什么在这种情况下删除 .bashrc 可能是个好主意.

rm /home/[username]/.bashrc This site has more information as to why it might be a good idea to delete the .bashrc in this situation.

1. 创建一个 .bash_profile 并添加安全"您要禁用的所有命令的别名

1. Create a .bash_profile and add "safe" aliases for all the commands that you would like to disable

./bash_profile 文件示例

alias apt-get="printf ''"  
alias aptitude="printf ''"  
[...]  
alias vi="vi -Z" #this is vi's safe mode and shell commands won't be run from within vi
alias alias="printf ''"  

请查看bash 命令的完整列表 了解更多信息.您必须确保 alias alias="printf ''" 命令是列表中的最后一个命令，否则您将失去为所有这些命令设置别名的能力.

A please check the full list of bash commands for more information. You must make sure that the alias alias="printf ''" command is the last command on the list otherwise you lose your ability to alias all of those commands.

注意运行下面的命令将搜索系统上几乎所有可用的命令，并输出一个现成的文件，其中几乎所有可用的命令都预混了别名.[ 命令是 bash 中的 test 命令.因此，如果您在文件中看到，这不是错误.

Note Running the commands below will search for almost all the commands available on your system and output a ready made file will almost all available commands pre-aliased. The [ command is the test command in bash. So if you see that in the file, it is not an error.

#search /bin and /usr/bin for any commands that exist on our system
ls /bin -1 > commands_on_system.txt && ls /usr/bin -1 >> commands_on_system.txt

#format and save this information to a bash variable
IFS=$'
' GLOBIGNORE='*' command eval  'COMMANDS_ON_SYSTEM=($(cat ./commands_on_system.txt))'
IFS=$'
' COMMANDS_ON_SYSTEM=($(sort <<<"${COMMANDS_ON_SYSTEM[*]}"))
unset IFS

#save these commands in aliased format for easy usage
for linux_command in "${COMMANDS_ON_SYSTEM[@]}"
do :
   #you can change how this works to automatically
   #setup the command file for you 
   echo "alias ${linux_command}="printf ''"" >> ./startup_functions_for_beginners.sh
done

1. 通过将 vi 命令别名为受限模式来禁用 vi 中的 shell 命令
   语法是 alias vi="vi -Z"，但请参阅 此网站了解更多信息.

1. Disable shell commands in vi by aliasing the vi command to restricted mode
   The syntax is alias vi="vi -Z", but please see this site for more information.

将用户.bash_profile的所有权更改为root
chown root:root/home/[用户名]/.bash_profile

Change the ownership of the user's .bash_profile to root
chown root:root /home/[username]/.bash_profile

最后，移除用户.bash_profile
的写权限chmod 755/home/[用户名/.bash_profile]

现在，当用户登录时，他们将无法更改目录，所有您不希望他们使用的命令都将输出与用户按下 [ENTER]<相同的信息没有指定命令的/code> 键，并且您的 /bin/bash 函数保持不变.

Now when the users log in they won't be able to change directories, all of the commands that you don't want them to use will output the same information as if the user pressed the [ENTER] key with no command specified, and your /bin/bash functions stay intact.

根据您选择或不使用这种别名的功能，用户仍然可以绕过您实现的某些控件.但是，由于我们实施了一些安全缓冲区，因此用户确实必须了解计算机系统才能执行任何危险操作.

Depending on what functions you choose to or not to alias this way, users may still be able to circumvent some of the controls that you implemented. However, since we implemented a few safety buffers, the user would really have to know about computer systems to do any dangerous.

在相关说明和您可能需要考虑的事项上，如果您直接将这些别名放入每个用户的 .bash_profile 中，您将难以维护哪些函数应该和不应该别名，如果您需要更改任何内容的别名，则必须单独更改所有别名.此外，由于用户可以使用 vim 或 vi 来查看文件，他们可以看到他们的 .bash_profile 的内容并了解他们有哪些限制和没有.

On a related note and something that you might want to consider, if you directly place these aliases into each and every users' .bash_profile you would have difficulty maintaining which functions should and shouldn't be aliased, and if you need to change the alias on anything you would have to change all of them individually. Also, since users can use vim or vi to view files, they could see the contents of their .bash_profile and understand what restrictions they have and don't have.

我建议解决这个问题.

1. 将所有别名放在用户无法访问的目录中(在此处粘贴 .bash_profile 的内容)

/[path_to_file]/startup_functions_for_beginners.sh

1. 将别名获取到它们的 .bash_profile

改进的 ./bash_profile 文件示例

if [[ -f /[path_to_file]/startup_functions_for_beginners.sh ]]; then
    . /[path_to_file]/startup_functions_for_beginners.sh
fi

这应该会让您上路，但请记住，几乎总是有办法规避限制.

This should put you on your way, but remember that there are almost always ways to circumvent restrictions.

此外，请随意重新组合此答案中的信息以满足您的需求.这些绝对可以与许多其他限制相结合.

Also, feel free to remix the information in this answer to suit your needs. These can most definitely be combined with a number of other restrictions as well.

问:我需要用户能够访问 fg 和 bg，但我不希望他们能够访问 aptitude或 bash

Q: I need users to have access to fg and bg, but I don't want them to be able to access aptitude or bash

alias apt-get="printf ''"  #the user won't be able to run this  
alias aptitude="printf ''"  #the user won't be able to run this  
alias bash="printf ''"  #the user won't be able to run this  
#alias fg="printf ''" #this will run as a bash built-in  
#alias bg="printf ''" #you actually don't need to include these in your script  

根据这个 哈佛网站(不详尽)

List of common commands as per this Harvard Website (NOT EXHAUSTIVE)

当您将程序安装到 Linux 时，您可以使用的内容会发生变化.我建议您运行上面第 4 步中列出的命令，以帮助在安装后查找新命令.

As you install programs to Linux what you have available to you changes. I suggest that you run the commands listed above in step 4 to help find new commands after they have been installed.

编辑器要小心，因为有些编辑器允许在程序中执行 shell 命令

nano
emacs
pico
sed
vi
vim  

其他一切

exit
logout
passwd
rlogin
ssh
slogin
yppasswd
mail
mesg
pine
talk
write
as
awk
bc
cc
csh
dbx
f77
gdb
gprof
kill
ld
lex
lint
make
maple
math
nice
nohup
pc
perl
prof
python
sh
yacc
xcalc
apropos
find
info
man
whatis
whereis
cd
chmod
chown
chgrp
cmp
comm
cp
crypt
diff
file
grep
gzip
ln
ls
lsof
mkdir
mv
pwd
quota
rm
rmdir
stat
sync
sort
tar
tee
tr
umask
uncompress
uniq
wc
cat
fold
head
lpq
lpr
lprm
more
less
page
pr
tail
zcat
xv
gv
xpdf
ftp
rsync
scp
alias
chquota
chsh
clear
echo
pbm
popd
pushd
script
setenv
stty
netstat
rsh
ssh
bg
fg
jobs
^y
^z
clock
date
df
du
env
finger
history
last
lpq
manpath
printenv
ps
pwd
set
spend
stty
time
top
uptime
w
who
whois
whoami
gimp
xfig
xv
xvscan
xpaint
kpaint
mplayer
realplay
timidity
xmms
abiword
addbib
col
diction
diffmk
dvips
explain
grap
hyphen
ispell
latex
pdfelatex
latex2html
lookbib
macref
ndx
neqn
nroff
pic
psdit
ptx
refer
roffbib
sortbib
spell
ispell
style
tbl
tex
tpic
wget
grabmode
import
xdpyinfo
xkill
xlock
xterm
xwininfo
html2ps
latex2html
lynx
netscape
sitecopy
weblint

这篇关于如何在 Linux 中限制用户命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！