Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

special-purpose user account

Status
Not open for further replies.
santanudas

santanudas

Technical User
Mar 18, 2002
121
GB
Hi all,

I have a really tricky requirement. I need to create a special-purpose user account, by giving it a shell which only allows the ‘sftp-server’ and a set of commands, namely ‘passwd’ ‘ls’ and ‘cd’ (ls & cd within the ~user directory only).

Initially, I replaced '/bin/bash' by '/usr/libexec/openssh/sftp-server' in
‘/etc/passwd’ for that particular user to run sftp-server ONLY. The trick is working but I want the user to change his/her password time to time and issue ‘ls’ and ‘cd’ to list ONLY the files inside his/her home directory. Now, as I changed the ‘/bin/bash’ part, if you do, say 'ssh $user@abc.com' it's asking for the password and after the password it's not doing ANY thing (as expected). My second question is: In stead of not doing any thing how can I print a massage like: "You are not allowed to use a shell" or something like that. Is it possible?

Thanks in advace!!!!
 
Sort by date Sort by votes

Ohhhh...I forgot to tell you guys that I'm using FC2 - if that helps.....
 
Upvote 0 Downvote
If you root/jail the user to their homedir within SFTP - see thread earlier this week on using a patch to do that - then you're almost all the way home. This would allow controlled access to their homedir plus ls and cd.

I'm not quite sure how you'd use a specific shell to ONLY allow the user to change passwd. I'll bet some smart person has stripped a bash shell for that purpose and you could rig up an ssh session for that user to accomplish it.

I just don't see how you can integrate these two without a lot of custom coding.

 
Upvote 0 Downvote

Many thanks, thedaver for your comment. could you pls point me the earlier thread that you mentioned?

And another question, mybe a stupid one - why you think it's really difficult use a specific shell to ‘ONLY allow the user to change password’? What did you actually mean – ONLY user or ONLY change password?
 
Upvote 0 Downvote
Earlier thread re: patching sftp to chroot user to homedir


On the comment about a shell, I meant that most shells are ready to run a multitude of commands, some available through the shell and most available through the path and local directory. I wasn't confident that any user could be confined to only having a shell to change passwords because I wasn't confident that such a shell exists... I may be proven wrong on this...

 
Upvote 0 Downvote

Many thanks thedaver, for those links. those are really very helpful. I got another plans to do now with those.
Thanks again!!!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
1K
gbaughma
gbaughma
jimktrains
  • Locked
  • Question
RHEL 7 limit user logins
Replies
0
Views
263
jimktrains
jimktrains
w5000
  • Locked
  • Question
openssh - user config
Replies
3
Views
314
w5000
w5000
srikanthgali87
  • Locked
  • Question
Shell script to sync user accounts multiple servers
Replies
1
Views
302
ady2012
ady2012
ahm1985
  • Locked
  • Question
sending email still send to email to control account although it deleted from useres list mailserve
Replies
3
Views
247
ahm1985
ahm1985

Part and Inventory Search

Sponsor

Back
Top