Home Command line utilities How To Limit User’s Access To The Linux System

How To Limit User’s Access To The Linux System

By sk
Published: Last Updated on 28.3K views

In this brief tutorial, we are going to learn what is Restricted shell and how to limit user's access to the Linux system using Restricted shell.


Picture this scenario.

You want to allow an user to do only certain tasks and execute certain commands. The user shouldn't change the environment variables/paths.

The user can't visit to the other directories except her/his home directory and can't switch to other users etc. The user can only be able to execute a few commands assigned by the system administrator. Is that possible? Yes! This is where Restricted Shell comes in help.

Restricted Shell is used to limit user's access to the Linux system. Once you put the users in restricted shell mode, they are allowed to execute only limited set of commands.

I tested this guide on CentOS 7 minimal server. However, It will work on most Unix-like distributions.

What is Restricted Shell?

First, let me clarify what exactly Restricted Shell is. It is not a separate shell like Bash, Korn Shell etc. If you start any existing shell using "rbash", "--restricted", "-r" options, then it will become Restricted shell. For instance, the Bourne shell can be started as a restricted shell with the command bsh -r, and the Korn shell with the command ksh -r.

The Restricted Shell will limit the users from executing most commands and from changing the current working directory. The Restricted Shell will impose the following restrictions to the users:

  • It will not allow you to execute cd command. So you can't go anywhere. You can simply stay in the current working directory.
  • It will not allow you to modify the values of $PATH, $SHELL, $BASH_ENV or $ENV environmental variables.
  • It will not allow you to execute a program that contains a /(slash) character. For example, you can't run /usr/bin/uname or ./uname command. You can however execute uname command. In other words, you are allowed to run the commands in the current path only.
  • You can't redirect the output using ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
  • It will not allow you to get out of the restricted shell mode within scripts.
  • It will not allow you to turn off restricted shell mode with ‘set +r’ or ‘set +o restricted’.

This can be very useful when a large number of users are using a shared system. So, If you want to allow the users to execute only specific commands, Restricted Shell is one way to do this.

Limit User's Access To The Linux System Using Restricted Shell

First, create a symlink called rbash from Bash as shown below. The following commands should be run as root user.

# ln -s /bin/bash /bin/rbash

Next, create an user called "ostechnix" with rbash as his/her default login shell.

# useradd ostechnix -s /bin/rbash

Set password to the new user.

# passwd ostechnix

Create a bin directory inside the home folder of the the new user.

# mkdir /home/ostechnix/bin

Now, we need to specify which commands the user can run.

Here, I am going to let the user to run only "ls", "mkdir", and "ping" commands. You can assign any commands of your choice.

To do so, run the following commands:

# ln -s /bin/ls /home/ostechnix/bin/ls
# ln -s /bin/mkdir /home/ostechnix/bin/mkdir
# ln -s /bin/ping /home/ostechnix/bin/ping

Now, you understand why we created the "bin" directory in the earlier step. The users can't run any commands except the above three commands.

Next, prevent the user from modifying .bash_profile.

# chown root. /home/ostechnix/.bash_profile
# chmod 755 /home/ostechnix/.bash_profile

Edit /home/ostechnix/.bash_profile file:

# vi /home/ostechnix/.bash_profile

Modify the PATH variable like below.

Modify PATH variable

Modify PATH variable

Press ESC key and type :wq to save and close the file.

Now when the user logs in, the restricted shell(rbash) will run as the default login shell and read the .bash_profile, which will set PATH to $HOME/bin so that the user will only be able to run the ls, mkdir and ping commands. The restricted shell will not allow the user to change PATH, and the permissions on .bash_profile will not allow the user to alter the environment to bypass the restrictions during the next login session.

Verifying Rbash

Now, log out from root user and log back in with the newly created user i.e ostechnix in our case.

Then, run some commands to check whether it works or not. For example, I want to clear the Terminal.

To do so, I ran:

$ clear

Sample output:

-rbash: clear: command not found

You can't use cd command to change to the different directory.

$ cd /root

Sample output:

-rbash: cd: restricted

You can't redirect the output using > operator either.

$ cat > file.txt

Sample output:

-rbash: file.txt: restricted: cannot redirect output
Limit User's Access To The Linux System Using Restricted Shell

Limit User's Access To The Linux System Using Restricted Shell

The user "ostechnix" is allowed to use only the commands assigned by you (the system admin, of course). In our case, the user can execute ls, mkdir and ping commands.

$ ls
$ mkdir ostechnix
$ ping -c 3 google.com
Restricted Shell in CentOS

Restricted Shell in CentOS

Apart from these three commands, the user can't perform anything. S/He is completely under your control.

Suggested read:

Allow new commands to users

If you want to assign more commands to a user, log out out from the current user and back in to the root user again and assign the commands as shown below.

For example, to allow the user (i.e. ostechnix) to execute rm command, run the following command as root user.

# ln -s /bin/rm /home/ostechnix/bin/rm

Now the user can able to use "rm" command.

For more details, refer the man pages in the link given below.

You May Also Like


Layne Bernardo January 21, 2018 - 5:36 pm

This is a very helpful article, and presents a much simpler way of providing the exact functionality I need than a chroot jail. Thanks!

sahil October 30, 2018 - 3:46 pm

I would like to allow user to use cd command

sk October 30, 2018 - 4:28 pm

It will not allow you to execute “cd” command. So you can’t go anywhere. You can simply stay in the current working directory. If you allow the “cd” command, what is the point of using Restricted Shell? The user can go anywhere and do whatever he wants. There won’t be any restriction.

Anyway, try the following and let me know if it works.

Run the following command to allow “cd” command:

# ln -s /bin/cd /home/ostechnix/bin/cd

Make sure you have created the “/home/ostechnix/bin” directory. Now, the user can able to use “cd” command.

sateesh December 31, 2018 - 1:03 pm

ln -s /bin/cd /home/ostechnix/bin/cd is not working

sk December 31, 2018 - 1:19 pm

Thanks for the update. It is the main goal of Rbash.

Davey November 20, 2018 - 2:34 pm

This is a really helpful article and exactly what I needed in a clear manner and thanks for that. But I have a question, if I wanted to allow users to run certain Python scripts from an alias stored in the /opt/ directory, how would I allow a user to run a command say

python3 /opt/application/script.py

or a custom alias for that?

sk November 20, 2018 - 3:23 pm

Create a “bin” directory inside the home folder of the the new user and move the script to bin directory. Please read the guide carefully. I have mentioned how to allow users to run new commands.

Arvind Kumar January 25, 2019 - 10:20 pm

How do I set for a perticular group.

Shozib Javed March 18, 2019 - 11:29 am

Very informative article; helped a lot. Thank you author.

Youssef Kanane May 2, 2019 - 7:35 pm

Hi ,

thx for this useful article .

for redhat distrib :

Modify the PATH variable like below.


Youssef Kanane May 2, 2019 - 8:14 pm

sorry ignore the above about path . it is working fine with PATH=$HOME/bin , it was rather /home/userx/bin directory permission issue . thanks again for this intuitive article .

actually I wanted this user to have the right to read some system logs like /var/log/messages , so have added sudo privileges (/etc/sudoers) to user group .
after doing so , the user was no more restricted to those commands … is their a way to have : root privileged user with restricted commands ?

Michael Motzkus June 17, 2019 - 9:48 pm

This is a very nice article … but using rbash (this way) is very dangerous. For two reaons:

1. The user’s /bin directory is writable. If the user can ssh into the system, he can easily copy other commands from remote to this directory and even preserve their executable privilege (scp -p).

2. It’s a chroot environment and it is very easy to break out of the rbash, even with such a simple program like vi / vim, which allows the user to change the shell. Allowing Python or other programming languages is even worst, it takes at most a minute to break out of this jail …

You should be very careful about, what programs you allow and know them very well. You should also remove the write privilege to the /bin directory.

Michael Motzkus June 17, 2019 - 10:54 pm

One correction: It’s not a chroot environment, but the problems remain the same.

Jalal January 19, 2020 - 10:08 am

Very nice article
Thanks a lot.

SET January 19, 2020 - 3:37 pm

‘Linux and freedom’ is being bashed here!

Marcos August 24, 2020 - 5:24 pm

Hi. Thank you for your time and the new info you shred with me. Sadly, even before I read the message posted by Michael Motzkus I tried scp and I, indireccly could access many files I wouldn’t like some users to access. Is there any way to solve his.

I’m trying thins with a server in a Raspberry Pi and the new user is my wife and of course is a trustworthy user (yes, I trust my wife, an old-school guy over here haha), though she isn’t keen on computers. She won’t go that far to do something like using scp command, but I wanted to experiment with the fact that, in a near future, I might grant certain access permission to some users in the future and I wanted to test the resistance of this method.

At this point you info is very useful, but I will find out more to get a very safe way to get this done for future untrusted users.

Have a good day.


Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More