Linux – Limit Exec Commands for Linux Users

centosexeclinuxuser-permissions

How can I limit the scope of executable commands a linux user can run?

For example, I only want user to be able to run the ls command and nothing else. If tried, for example to run cat, linux would throw an error or return null.

I've looked into the alias command to set a predefined list of custom commands, but this doesn't limit the user from running other commands. I actually would love to set alias commands then limit the scope to just those.

I've also looked into this documentation on confining users, but still unsure about how to go about it.

Scope: I'm using a service account to run ssh commands within our PHP app. I want to limit the commands for that service account to prevent a situation where someone injects commands into the ssh_exec(); – such as ls and inject | some command

I think I'll try this: https://github.com/ghantoos/lshell

Best Answer

You can also bind commands to specific ssh keys in the authorized keys file. 

from="host.com",command="/bin/ls" ssh-dss <SSH PUBLIC KEY>

What this does is restrict access to the account using a certain ssh public to only run a specific command from a specific host. See

man sshd

for more options.

Related Topic