Restrict user access to JUST ONE specific file and nothing else

Question

I have a situation where I want a user to be able to have rwx access to just one specific file, the command nano, /bin/bash and NOTHING ELSE. The user will be able to log in with ssh.

I followed the second answer from Victor Wong from this question: How to limit user commands in Linux to set up the thing with nano, but so far I couldn't manage to restrict the access to just this file.

With normal linux permissions, the user will always be able to navigate to /etc and even read /etc/groups and more.

I tried these two commands:

setfacl -m u:myuser:0 / and then setfacl -m u:myuser:rwx /etc/network/interfaces

But then linux tells me permission denied on /etc/network/interfaces, I guess because the restriction on / is prioritized or just comes first.

I did not try root jail since I read, that you can still open other files with nano then. Am I right with that?

I googled for a couple of hours now and played around but couldn't find a solution yet. Can you guys help me or at least give me the buzzwords too google for / try out?

score 1 · Accepted Answer · answered Mar 23 '21 at 09:32

I ended up creating a chroot jail following the steps in this article:

https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/

with creating a hard link to the file I needed the user to be able to edit. I also added nano to the available commands.

It works like a charm.

I also skipped the substep 14 to add ForceCommand internal-sftp to the sshd_config file, since I still need ssh.

In case someone runs accross this post and wants to add nano:

You need to add /lib/terminfo with all its content to your /home/myuser/lib/ folder!

score 0 · Answer 2 · answered Mar 22 '21 at 11:31

Which user tried to run

setfacl -m u:myuser:0 / 
setfacl -m u:myuser:rwx /etc/network/interfaces

commands? Does the /etc/network/interfaces belongs to that user? Can you share current getfacl command output? Please try to be more specific with users and operations.

By the way for files can you try using -M option with setfacl and do it with a privileged user like the owner of /etc/network/nterfaces.

setfacl - u:myuser:rwx /etc/network/interfaces

You can try this.

Thanks for the help. After trying around some more I ended up using a chroot jail. That works as intended — browntailor, Mar 23 '21 at 09:29

Basile Starynkevitch · Answer 3 · 2021-03-23T09:59:01.907

I would write a setuid C program using relevant syscalls(2), compile it carefully (into a static executable), have that C code being reviewed by colleagues, and make that executable the login shell (see chmod(1), execve(2), seteuid(2), credentials(7), shells(5), elf(5) and passwd(5) and pam_shells(8)...) of that particular user.

Be careful when coding setuid executables (a bug would open a huge security hole). Read Advanced Linux Programming

BTW, once your user is running /bin/bash, he is capable of doing everything. Maybe you want to permit only a restricted bash shell?

Restrict user access to JUST ONE specific file and nothing else

3 Answers3