Open a Console Based Editor with limited access



I have a script that will be executed through SSH. My SSH server is configured to always trigger this script, so the user doesnt have access to actual machine.

One of the features of this script is to edit a file, I wonder if there is a way to invoke VIM(or some other console based editor) without allowing it to edit other files or to execute commands. I want the VIM to be forced to edit only the file opened.

André Puel

Posted 2012-05-22T16:17:02.833

Reputation: 275

1It sounds like there might be better solutions to your overall problem. Please state what problem you actually try to solve. – Daniel Beck – 2012-05-26T12:12:22.197

Like @DanielBeck says, there may be a better solution. See chroot. Check out my post.

– nelaaro – 2012-05-30T07:34:23.350



I don't think that it's possible to limit Vim itself the way you want.

But you could limit all the rights of the user to only one specific file/directory. This way, he would never be able to read or write to any other file/directory. Be aware that your user should still be able to execute programs located elsewhere (/usr/bin/vim, for example).

A quick google will probably return dozens of tutorials. This tool might help: it allows you to setup a sort of sandbox on your server.


Posted 2012-05-22T16:17:02.833

Reputation: 19 227

2Starting Vim with the -Z option disables the ability to run external commands. – Heptite – 2012-05-22T18:16:57.623

That's cool. It doesn't prevent :w /some/other/file, does it? – romainl – 2012-05-22T19:22:26.280

No, it only affects running external commands. – Heptite – 2012-05-22T20:38:12.773

Do you know if I can do that with other tool? – André Puel – 2012-05-22T20:51:54.040


Not using Vim, I can only suggest without testing :

  • Invoke Vim with the -Z parameter
  • Map the W command to a function that will save the current file and ignore the parameter
  • Disable the E command

Here is some more information to point the way :

Mapping keys in Vim - Tutorial
Vim: What is the difference between the remap, noremap, nnoremap and vnoremap
Vim documentation: map


Posted 2012-05-22T16:17:02.833

Reputation: 306 093


You could build a copy of vim for the specific user, and restrict the user to only the parts of the FS he needs access to - so only read/write privileges to that file, and no other groups added to his account. That should effectively restrict him to only those files.

Another possible thing to do would be to restrict the user to a chroot jail after doing the above - so he'd only see vim and that file.

Journeyman Geek

Posted 2012-05-22T16:17:02.833

Reputation: 119 122


Use Nano in restricted mode.

rnano is a restricted version of nano, which only edits specific files and doesn’t allow the user access to the filesystem or a command shell.

In restricted mode, nano will not:

  • read or write to any file not specified on the command line
  • read any nanorc files
  • allow suspending
  • allow a file to be appended to, prepended to, or saved under a different name
  • use backup files or spell checking

Jeremy W

Posted 2012-05-22T16:17:02.833

Reputation: 3 529


Not exactly what you're looking for, but rvim does some of what you want. Perhaps it's possible to do some tricks with chroot. I don't know.

It will not be possible to start shell commands, or suspend Vim.


Posted 2012-05-22T16:17:02.833

Reputation: 891

rvim is same as "vim -Z", as commented before. – harrymc – 2012-05-26T10:16:30.330


My recommendation, is to create a full chroot login environment for the users when they log in. This is similar to what apple and OEM android manufactures do to their devices. This lets you create a specific environment for each user that logs in with limited privileges.

This way you can lock them down to only a specific section of available tools. Even if they have write access they will not be able to affect the root file system and any thing running there, with out some significant effort.

The following links will help you along the way

Just like rooting, or jail breaking the iphone, android devices, requires sophisticated knowledge of programming to exploit privileged process, it is not very easy to do.

This tutorial for Ubuntu explains what a change root / chroot environment is and how to create it.


Posted 2012-05-22T16:17:02.833

Reputation: 9 321


You can just use any text editor you want and make a little wrapper script something like this:

case "$1" in
  /an/acceptable.file|/another/file)texteditor "$1";;
  *)echo you don't have permission to edit this file

set permissions accordingly

(Note: This method can be used for many things and is common in cgi scripts)


Posted 2012-05-22T16:17:02.833

Reputation: 996