如何限制用户的Linux命令 [英] How to limit user commands in Linux

问题描述

我有一组中的用户：演示

I have a user in a group : "demo".

我想设置这样用户只需可以运行10的命令，比如VIM，纳米，CD等。

I wanna set the policy that this users just can run 10 commands, like "vim","nano","cd" and etc.

或者，将政策会对除SSH所有命令和猫命令的访问权。

Or, set the policy to have access on all commands except "ssh" and "cat" commands.

感谢

推荐答案

有很多，你可以做到这一点的不同方式。我要列出几个可能的解决方案之一。

There are lots of different ways that you could achieve this. I'm going to list one of several possible solutions.

我建议使用保护prevent用户多种不同的层次运行，他们不应该被允许访问的命令。这里所有的方向假设用户有自己的 /家庭/ [用户名] 目录中，其外壳是 /斌/庆典，你想他们是使用bash shell中，当他们登录到系统中。

I would propose using several different layers of protection to prevent users from running the commands that they shouldn't be allowed to access. All of the directions here assume that users have their own /home/[username] directory, that their shell is /bin/bash and you would like them to be use the bash shell when they log in to the system.

1）将目录更改权限，以便只有用户可以编辑自己的主目录的内容。

1) Change directory permissions so that only the user can edit the contents of their home directory

行chmod 755 /家用/ [用户名]

2）删除用户的的.bashrc 文件

RM /家庭/ [用户名] /的.bashrc 的这个网站有，为什么它可能是在这种情况下，删除的.bashrc 一个好主意，了解更多信息。

rm /home/[username]/.bashrc This site has more information as to why it might be a good idea to delete the .bashrc in this situation.

3）创建一个的.bash_profile ，并添加安全的别名所有你想禁用命令

3) Create a .bash_profile and add "safe" aliases for all the commands that you would like to disable

./在.bash_profile文件例子

alias apt-get="printf ''"  
alias aptitude="printf ''"  
[...]  
alias vi="vi -Z" #this is vi's safe mode and shell commands won't be run from within vi
alias alias="printf ''"  

一个请查看的bash的完整列表命令了解详情。你必须确保在别名别名=printf的''命令为最后一个命令就行了，否则你失去了你的别名所有这些命令的能力。

A please check the full list of bash commands for more information. You must make sure that the alias alias="printf ''" command is the last command on the list otherwise you lose your ability to alias all of those commands.

4）六禁用shell命令由走样vi命令来限制模式结果
语法是别名六=六-Z，但请的本网站了解更多信息。

4) Disable shell commands in vi by aliasing the vi command to restricted mode
The syntax is alias vi="vi -Z", but please see this site for more information.

5）更改用户的的.bash_profile 的所有权根结果
CHOWN根：根的/ home / [用户名] / .bash_profile中

5) Change the ownership of the user's .bash_profile to root
chown root:root /home/[username]/.bash_profile

6）用户的的.bash_profile 结果删除写入权限
行chmod 755 /home/[username/.bash_profile]

6) Remove write permissions on the user's .bash_profile
chmod 755 /home/[username/.bash_profile]

7）最后用户的bash改为限制庆典模式使他们无法更改目录（如果你没有一个受限制的庆典模式，您的系统上，的此链接将有助于给你更多的信息）结果
CHSH -s /斌/ rbash [用户名]

7) Finally change the users bash to restricted bash mode so that they can't change directories (if you don't have a restricted bash mode on your system, this link will help and give you more information)
chsh -s /bin/rbash [username]

现在，当用户登录，他们将无法更改目录，所有你不希望他们使用将输出相同的信息，如果用户pressed的<$ C $的命令C> [ENTER]带任何命令键，你的 /斌/庆典功能保持不变。

Now when the users log in they won't be able to change directories, all of the commands that you don't want them to use will output the same information as if the user pressed the [ENTER] key with no command specified, and your /bin/bash functions stay intact.

根据哪些功能你选择或不别名这样，用户仍然可以规避一些你实施控制。然而，由于我们实施了一些安全缓冲区，用户就真的要了解计算机系统做任何危险的。

Depending on what functions you choose to or not to alias this way, users may still be able to circumvent some of the controls that you implemented. However, since we implemented a few safety buffers, the user would really have to know about computer systems to do any dangerous.

在一个相关的说明，而且你可能要考虑，如果直接将这些别名为每一个用户的的.bash_profile 你就难以维持其功能的东西应该和不应该是锯齿，如果你需要改变任何东西的别名，你必须逐个改变他们。此外，由于用户可以使用 VIM 或六来查看文件，他们可以看到自己的<$ C $的内容C>的.bash_profile ，了解他们有什么限制和不具备的。

On a related note and something that you might want to consider, if you directly place these aliases into each and every users' .bash_profile you would have difficulty maintaining which functions should and shouldn't be aliased, and if you need to change the alias on anything you would have to change all of them individually. Also, since users can use vim or vi to view files, they could see the contents of their .bash_profile and understand what restrictions they have and don't have.

要解决这个问题，我建议。

To get around this I would suggest.

1）把所有的别名在不被用户访问的目录（粘贴的内容的.bash_profile 这里）

1) Putting all of the aliases in a directory not accessible by the users (paste the contents of the .bash_profile here)

/ [文件路径] /startup_functions_for_beginners.sh

2）采购别名到他们的的.bash_profile

2) Sourcing the aliases into their .bash_profile

提高./bash_profile文件例子

if [[ -f /[path_to_file]/startup_functions_for_beginners.sh ]]; then
    . /[path_to_file]/startup_functions_for_beginners.sh
fi

这应该把你的方式，但请记住，有几乎总是设法规避限制。

This should put you on your way, but remember that there are almost always ways to circumvent restrictions.

此外，随意混音的信息在这个答案，以满足您的需求。这些可以最肯定可以用一些其他的限制，同时还结合起来。

Also, feel free to remix the information in this answer to suit your needs. These can most definitely be combined with a number of other restrictions as well.

问：我需要的用户去访问 FG 和 BG ，但我不希望他们能够获得性向或庆典

Q: I need users to have access to fg and bg, but I don't want them to be able to access aptitude or bash

alias apt-get="printf ''"  #the user won't be able to run this  
alias aptitude="printf ''"  #the user won't be able to run this  
alias bash="printf ''"  #the user won't be able to run this  
#alias fg="printf ''" #this will run as a bash built-in  
#alias bg="printf ''" #you actually don't need to include these in your script  

按照此哈佛网站常用命令列表（不详尽）

List of common commands as per this Harvard Website (NOT EXHAUSTIVE)

的应谨慎使用编辑的照顾，因为一些允许shell命令的excution从程序中的

nano
emacs
pico
sed
vi
vim  

的其他的

exit
logout
passwd
rlogin
ssh
slogin
yppasswd
mail
mesg
pine
talk
write
as
awk
bc
cc
csh
dbx
f77
gdb
gprof
kill
ld
lex
lint
make
maple
math
nice
nohup
pc
perl
prof
python
sh
yacc
xcalc
apropos
find
info
man
whatis
whereis
cd
chmod
chown
chgrp
cmp
comm
cp
crypt
diff
file
grep
gzip
ln
ls
lsof
mkdir
mv
pwd
quota
rm
rmdir
stat
sync
sort
tar
tee
tr
umask
uncompress
uniq
wc
cat
fold
head
lpq
lpr
lprm
more
less
page
pr
tail
zcat
xv
gv
xpdf
ftp
rsync
scp
alias
chquota
chsh
clear
echo
pbm
popd
pushd
script
setenv
stty
netstat
rsh
ssh
bg
fg
jobs
^y
^z
clock
date
df
du
env
finger
history
last
lpq
manpath
printenv
ps
pwd
set
spend
stty
time
top
uptime
w
who
whois
whoami
gimp
xfig
xv
xvscan
xpaint
kpaint
mplayer
realplay
timidity
xmms
abiword
addbib
col
diction
diffmk
dvips
explain
grap
hyphen
ispell
latex
pdfelatex
latex2html
lookbib
macref
ndx
neqn
nroff
pic
psdit
ptx
refer
roffbib
sortbib
spell
ispell
style
tbl
tex
tpic
wget
grabmode
import
xdpyinfo
xkill
xlock
xterm
xwininfo
html2ps
latex2html
lynx
netscape
sitecopy
weblint

这篇关于如何限制用户的Linux命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！