Restricting User to Script
Let’s assume you have some Users around and they should be able to run certain Scripts. These Scripts do various things, login to some systems, perform task, get data from an API, whatever you want. All these Actions needs Credentials which must be available to the script, although they are not part of the Script. They could be Provides via OS Env, .env File, Encrypted Password Store or whatever. But if the Script is able to access these Credentials, a logged in User would could access it also.
Found a possiblity to restrict a Users Shell to a Script. And if the Script ends, breaks or gets interrupted, the User will logged out immediately. Sounds nice ? it does for me :)
cat <<'EOF'> /usr/local/bin/restricted_shell.sh #!/usr/bin/env bash # Count Processes, write to File ps aux |wc -l |while IFS= read -r line; do echo "$(date +'%Y-%m-%d %H:%M:%S') $line"; done |tee -a output.log # Log out the user immediately when the script exits (regardless of the exit status) kill -9 $PPID EOF chmod 755 /usr/local/bin/restricted_shell.sh
cat <<'EOF'> /etc/profile ### Alias to Restrict / Unrestrict Support User alias support_restrict="usermod -s /usr/local/bin/restricted_shell.sh support" alias support_unrestrict="usermod -s /bin/bash support" EOF
source /etc/profile or logout/login to make the alias active
Add Support User
this User will get’s the restricted Shell
apply restricted Shell
test the restricted Shell
user@planet:~> ssh support@restrictedserver Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 Welcome to the Restricted Server Last login: Thu Jul 20 21:30:57 2023 from 192.168.x.x 2023-07-20 21:47:39 10.88 Connection to 192.168.x.x closed by remote host. user@planet:~>
as you can see, the following Line was build by the restricted Shell and written to output.log
2023-07-20 21:47:39 10.88
remove Restricted Shell
user@plane:~> ssh support@restrictedserver Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 Welcome to the Restricted Server Last login: Thu Jul 20 21:47:38 2023 from 192.168.x.x support@restriectedserver:~$ support@restriectedserver:~$ pwd /home/support support@restriectedserver:~$ exit logout user@planet:~>
Any Comments ?