Allow a UNIX group access to only a single file through SSH

2

2

I would like to set up a group of UNIX users which only has access to one specific Python file via SSH. That is, they should not be able to run any other commands/programs or view any part of the file structure.

I've sort of accomplished this already by running the script on logon and disabling keyboard interrupts, but this is not ideal as uses can still connect via WinSCP and browse the file structure. I have looked into setting up a jail which restricts users to a certain directory, but that seems like overkill for my purposes and would still allow them access to the shell. What is the most efficient/secure solution?

Edit with more details as requested: The script needs to be executed on the server because it frequently connects to and updates/reads a database also residing on the server. Users will be interacting with each other on the server via the script. I do not want to require users to download/install anything other than an SSH client, but I do want to restrict access to all parts of the server other than the script.

Ecliptica

Posted 2017-01-06T05:52:52.013

Reputation: 151

Welcome to Super User. If I understand correctly, you want users to be able to execute that script on your host machine. Can you please [edit] your question to clarify what the script is doing, e.g., does it make any permanent changes to the host machine, does it work with any information that should not be accessible to the users, or does it just work on its own? Also, why do you need this and cannot just let the users execute the script on their machine or similar? Right now, your question seems like an XY problem.

– Wrzlprmft – 2017-01-06T09:08:51.500

I've updated the question with more information. – Ecliptica – 2017-01-06T09:24:52.870

1

I have not done enough research to answer this question but feeling that limited shell lshell may be one of your solution. https://linux.die.net/man/1/lshell

– Kenneth L – 2017-01-06T09:40:07.263

@KennethL I actually ended up going with your solution. Will update with an answer. – Ecliptica – 2017-01-06T18:50:08.327

Answers

2

My solution was to follow Kenneth's comment and set up lshell—was pretty easy and quick to do.

  1. Run sudo apt install lshell to get lshell
  2. Create a UNIX group (e.g. sudo groupadd testgroup)
  3. Add necessary user(s) to your group (e.g. sudo usermod -a -G testgroup username)
  4. Also add the user(s) to the lshell group (e.g. sudo usermod -a -G lshell username)
  5. Edit /etc/lshell.conf with the desired configuration (see below)
  6. Set lshell as the default shell for the user(s) (e.g. chsh -s /usr/bin/lshell username)

With the below configuration, testuser can only run script.py after logging in through SSH. They can't connect with SCP/SFTP or browse the file structure through the shell.

[grp:testgroup]
login_script    : "python /some/path/script.py"
path            : "/some/path/"
forbidden       : ["ls", "echo", "cd"]
scp             : 0
sftp            : 0

Ecliptica

Posted 2017-01-06T05:52:52.013

Reputation: 151

2+1 for sharing the solution instead of silently disappearing with your problem solved. Way to go. – Kamil Maciorowski – 2017-01-06T19:40:56.150

Asked: 2017-01-06T05:52:52.013

Viewed: 141 times

Active: 2017-01-06T19:28:04.433