Linux – How to execute with /bin/false shell

bashfastcgilinuxPHPshell

I am trying to setup per-user fastcgi scripts that will run each on a different port and with a different user. Here is example of my script:

#!/bin/bash
BIND=127.0.0.1:9001
USER=user
PHP_FCGI_CHILDREN=2
PHP_FCGI_MAX_REQUESTS=10000

etc…

However, if I add user with /bin/false (which I want, since this is about to be something like shared hosting and I don't want users to have shell access), the script is run under 1001, 1002 'user' which, as my Google searches showed, might be a security hole. My question is: Is it possible to allow user(s) to execute shell scripts but disable them so they cannot log in via SSH?

Best Answer

Use the DenyUsers or DenyGroups settings in sshd_config.

Related Solutions

Bash Scripting – How to Determine if a Bash Variable is Empty

This will return true if a variable is unset or set to the empty string ("").

if [ -z "${VAR}" ];

Linux – Running a Shell Script as a Different User

To run your script as another user as one command, run:

/bin/su -c "/path/to/backup_db.sh /tmp/test" - postgres

Breaking it down:
 /bin/su : switch user
 -c "/path/to..." : command to run
 - : option to su, make it a login session (source profile for the user)
 postgres : user to become

I recommend always using full paths in scripts like this - you can't always guarantee that you'll be in the right directory when you su (maybe someone changed the homedir on you, who knows). I also always use the full path to su (/bin/su) because I'm paranoid. It's possible someone can edit your path and cause you to use a compromised version of su.

Best Answer

Related Solutions

Bash Scripting – How to Determine if a Bash Variable is Empty

Linux – Running a Shell Script as a Different User

Related Topic