restricted shell

Don Quixote de la Mancha quixote at
Sun Oct 16 13:06:39 UTC 2011

On Sun, Oct 16, 2011 at 5:53 AM, Tim <ignored_mailbox at> wrote:
> On Sun, 2011-10-16 at 14:17 +0530, Benjamin wrote:
>> I want to allow specific  commands only to my local admin , means he
>> can use only commands which i allowed for more commands or any
>> other bash facility he can't use.
> You can look into "chroot"ing, where the other person has a different
> root directory, and all the sub-directories, and you copy the commands
> that they're allowed to use into their directory tree.

Chroot is great for securing certain kinds of things, but if the
intended user is an administrator, he won't be able to administer any
of the files outside of his chroot jail.

I'm pretty sure bash doesn't provide a facility like this, but there
should be a different shell that does.

A simple hack that would work for any shell would be to remove the
"others execute" permission from all of your executable programs,
other than the commands you want him to be able to use.  You will also
need to place him in his own group.

chmod o-x

will do it.

But some daemons run as unpriveliged users, either their own username
or as "nobody".  You will need these daemons to be in a group that can
run the commands.

Wholesale alteration of executable permissions could break your system
in a big way, though.  The permissions might get reset by software
updates.  It's probably best to keep looking for a shell that does
what you really need.

Don Quixote de la Mancha
Dulcinea Technologies Corporation
Software of Elegance and Beauty
quixote at

More information about the users mailing list