Restricted Shell Environments
Keep your users from shooting themselves (and you) in the foot.
Sometimes a
sandboxed
environment
[Hack #10]
is overkill for your needs. If you want to set up a restricted
environment for a group of users that only allows them to run a few
particular commands, you’ll have to duplicate all of
the libraries and binaries for those commands for each user. This is
where restricted shells come in handy. Many shells include such a
feature, which is usually invoked by running the shell with the
-r switch. While not as secure as a system
call-based sandbox environment, it can work well if you trust your
users not to be malicious, but worry that some might be curious to an
unhealthy degree.
Some common features of restricted shells are the ability to prevent a program from changing directories, to only allow the execution of commands using absolute pathnames, and to prohibit executing commands in other subdirectories. In addition to these restrictions, all of the command-line redirection operators are disabled. With these features, restricting the commands a user can execute is as simple as picking and choosing which commands should be available and making symbolic links to them inside the user’s home directory. If a sequence of commands needs to be executed, you can also create shell scripts owned by another user. These scripts will execute in a nonrestricted environment and can’t be edited within the environment by the user.
Let’s try running a restricted ...