This article focuses on the related content of creating accounts with specified permissions through restricted bash under Linux. The specific introduction is as follows.
In daily business operation and maintenance, sometimes in order to cooperate in solving problems, it is necessary to open system accounts for non-operation and maintenance personnel to query logs or codes. Usually for the purpose of system security or avoiding unnecessary misuse, account permissions will be reduced to the minimum. The following is an introduction to the operation record of creating an account with specified permissions through restricted bash under Linux:
[root@mq-server ~]# ln -s /bin/bash/bin/rbash [root@mq-server ~]# useradd -s /bin/rbash wangshibo [root@mq-server ~]# passwd wangshibo [root@mq-server ~]# mkdir /home/wangshibo/bin [root@mq-server ~]# chown root. /home/wangshibo/.bash_profile [root@mq-server ~]# chmod 755 /home/wangshibo/.bash_profile [root@mq-server ~]# vim /home/wangshibo/.bash_profile //复制下面的内容覆盖原内容 # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$HOME/bin export PATH<br data-filtered="filtered"> [root@mq-server ~]# ln -s /bin/cat /home/wangshibo/bin/cat [root@mq-server ~]# ll /home/wangshibo/ total 4 drwxr-xr-x 2 root root 4096 Nov 25 23:38 bin [root@mq-server ~]# ll /home/wangshibo/bin/ total 0 lrwxrwxrwx 1 root root 8 Nov 25 23:12 cat -> /bin/cat
After the above settings, you can find that the file permissions in the created wangshibo user's home directory are root.root. Only the cat permissions of the wangshibo user are set above, and only cat can view the wangshibo user's home directory /home/wangshibo Files under . Except cat command. No other commands can be executed!
[wangshibo@mq-server ~]$ cat /var/log/messages cat: /var/log/messages: Permission denied [wangshibo@mq-server ~]$ ls -rbash: /home/wangshibo/bin/ls: No such file or directory [wangshibo@mq-server ~]$ touch test -rbash: /home/wangshibo/bin/touch: No such file or directory
If you want to have the execution rights of other commands in its home directory, you need to add the soft links of these commands to the /home/wangshibo/bin directory (you can use the which command to view the binary commands Full path)
[root@mq-server ~]# ln -s /bin/ls /home/wangshibo/bin [root@mq-server ~]# ln -s /bin/touch /home/wangshibo/bin [root@mq-server ~]# ln -s /bin/mkdir /home/wangshibo/bin [root@mq-server ~]# ln -s /usr/bin/vim /home/wangshibo/bin/ [root@mq-server ~]# ll /home/wangshibo/bin/ total 0 lrwxrwxrwx 1 root root8 Nov 25 23:12 cat -> /bin/cat lrwxrwxrwx 1 root root7 Nov 25 23:44 ls -> /bin/ls lrwxrwxrwx 1 root root 10 Nov 25 23:45 mkdir -> /bin/mkdir lrwxrwxrwx 1 root root 10 Nov 25 23:44 touch -> /bin/touch lrwxrwxrwx 1 root root 12 Nov 25 23:45 vim -> /usr/bin/vim
In this way, wangshibo user will have the execution rights of the commands added above
[root@mq-server ~]# su - wangshibo [wangshibo@mq-server ~]$ ls bin [wangshibo@mq-server ~]$ touch test [wangshibo@mq-server ~]$ mkdir ops [wangshibo@mq-server ~]$ vim test [wangshibo@mq-server ~]$ cat test dsfdsafsadf [wangshibo@mq-server ~]$ rm -f test -rbash: rm: command not found [wangshibo@mq-server ~]$ ls /usr/ binetcgamesincludeliblib64libexeclocalsbinsharesrctmp [wangshibo@mq-server ~]$ cat /var/log/messages cat: /var/log/messages: Permission denied
The above is the detailed content of Parsing the code for using restricted bash to create an account with specified permissions under Linux. For more information, please follow other related articles on the PHP Chinese website!