Linux下通过受限bash创建指定权限的账号

在日常业务运维中，有时为了配合解决问题，需要给非运维人员开通系统账号，用于查询日志或代码。通常为了系统安全或避免不必要的误操作等目的，会将账号权限降至最低。下面介绍下在Linux下通过受限bash创建指定权限账号的操作记录：

[root@mq-server ~]# ln -s /bin/bash  /bin/rbash
[root@mq-server ~]# useradd -s /bin/rbash wangshibo
[root@mq-server ~]# passwd wangshibo
[root@mq-server ~]# mkdir /home/wangshibo/bin
[root@mq-server ~]# chown root. /home/wangshibo/.bash_profile 
[root@mq-server ~]# chmod 755 /home/wangshibo/.bash_profile
[root@mq-server ~]# vim /home/wangshibo/.bash_profile       //复制下面的内容覆盖原内容
# .bash_profile
 
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi
 
# User specific environment and startup programs
 
PATH=$HOME/bin
 
export PATH

[root@mq-server ~]# ln -s /bin/cat /home/wangshibo/bin/cat
[root@mq-server ~]# ll /home/wangshibo/
total 4
drwxr-xr-x 2 root root 4096 Nov 25 23:38 bin
[root@mq-server ~]# ll /home/wangshibo/bin/
total 0
lrwxrwxrwx 1 root root 8 Nov 25 23:12 cat -> /bin/cat

如上设置后，可以发现创建的wangshibo用户家目录下的文件权限是root.root，上面只设置了wangshibo用户的cat权限，并且只能cat查看wangshibo用户家目录/home/wangshibo下的文件。除了cat命令外。不能执行其他命令！

[wangshibo@mq-server ~]$ cat /var/log/messages
cat: /var/log/messages: Permission denied
[wangshibo@mq-server ~]$ ls
-rbash: /home/wangshibo/bin/ls: No such file or directory
[wangshibo@mq-server ~]$ touch test
-rbash: /home/wangshibo/bin/touch: No such file or directory

如果要想在其家目录下有其他命令的执行权，那么需要添加这些命令的软链接到/home/wangshibo/bin目录下（可以通过which命令查看二进制命令的全路径）

[root@mq-server ~]# ln -s /bin/ls /home/wangshibo/bin
[root@mq-server ~]# ln -s /bin/touch /home/wangshibo/bin
[root@mq-server ~]# ln -s /bin/mkdir /home/wangshibo/bin
[root@mq-server ~]# ln -s /usr/bin/vim /home/wangshibo/bin/
[root@mq-server ~]# ll /home/wangshibo/bin/
total 0
lrwxrwxrwx 1 root root  8 Nov 25 23:12 cat -> /bin/cat
lrwxrwxrwx 1 root root  7 Nov 25 23:44 ls -> /bin/ls
lrwxrwxrwx 1 root root 10 Nov 25 23:45 mkdir -> /bin/mkdir
lrwxrwxrwx 1 root root 10 Nov 25 23:44 touch -> /bin/touch
lrwxrwxrwx 1 root root 12 Nov 25 23:45 vim -> /usr/bin/vim

这样，wangshibo用户就拥有了上面加入的命令的执行权

[root@mq-server ~]# su - wangshibo
[wangshibo@mq-server ~]$ ls
bin
[wangshibo@mq-server ~]$ touch test
[wangshibo@mq-server ~]$ mkdir ops
[wangshibo@mq-server ~]$ vim test
[wangshibo@mq-server ~]$ cat test
dsfdsafsadf
[wangshibo@mq-server ~]$ rm -f test
-rbash: rm: command not found
[wangshibo@mq-server ~]$ ls /usr/
bin  etc  games  include  lib  lib64  libexec  local  sbin  share  src  tmp
[wangshibo@mq-server ~]$ cat /var/log/messages
cat: /var/log/messages: Permission denied