disable bash

UNIX AIX
1

Hi,

is there a way to disable bash shell only for specific users?

2

you can put them in a same group and change the environment .profile for that group.

3

But this does not prevent a user from calling bash inside his default shell or from a script.

4

for ex our user is test.

add a group which named bashxx

# groupadd bashxx

and add user to group

# usermod -G bashxx,test test

and mount with acl

# mount -o remount -o defaults,acl  /

and be sure that there is not perm on bash

# setfacl -m g:bashxx:0 `which bash`

and they must not dowload any source file about bash

# su - test
$ bash
-ksh: bash: cannot execute [Permission denied]

after that for another users same process goes on..

# usermod -G bashxx,test2 test2

and then again for another users...

of course they should not dowload any source file about bash :rolleyes:

regards
ygemici

1 Like
5

It is the other way round: ENable specific users for the shell:

  • create a group "bashusers"
  • remove read/write/execute-bit from $(which bash) for world, set execute- and read-bit for group
  • give group ownership of $(which bash) to group "bashusers"
  • put everybody allowed to use bash into this group

This way you have disabled the usage of bash for all users not member of "bashusers". Of course you can't effectively disable it for user "root".

I hope this helps.

bakunin

1 Like
6

I managed it with AIX ACL's:

Help -
Thanks.

7

Thanks for writing a follow-up.

Still, i'd like to warn you to think twice about using ACLs: in my experience using ACLs is uncessarily complicating the rights management process and in the long run it is better to stay away from using ACLs at all.

In most cases you can achieve your goals without ACLs and if this is possible you should go for it.

Just my 2 cents.

bakunin

8

I second what bakunin says about ACLs. I do not know an easy way to administer them so we were always looking for a way to leave them out.