Allow a UNIX group access to only a single file through SSH

python ssh security ubuntu

Solution 1:

My solution was to follow Kenneth's comment and set up lshell—was pretty easy and quick to do.

  1. Run sudo apt install lshell to get lshell
  2. Create a UNIX group (e.g. sudo groupadd testgroup)
  3. Add necessary user(s) to your group (e.g. sudo usermod -a -G testgroup username)
  4. Also add the user(s) to the lshell group (e.g. sudo usermod -a -G lshell username)
  5. Edit /etc/lshell.conf with the desired configuration (see below)
  6. Set lshell as the default shell for the user(s) (e.g. chsh -s /usr/bin/lshell username)

With the below configuration, testuser can only run script.py after logging in through SSH. They can't connect with SCP/SFTP or browse the file structure through the shell.

[grp:testgroup]
login_script    : "python /some/path/script.py"
path            : "/some/path/"
forbidden       : ["ls", "echo", "cd"]
scp             : 0
sftp            : 0

Related

Free Partition Migration Tool [closed]
Since Windows 8.1 Cannot Access Network Shares on Windows Home Server 2011
Setting VPN to go through certain IPs and not others
Prevent cut and paste from/to RDP client
Finding out what the hijackers are doing/have done while in control of my router
Alternatives to Windows-builtin checkdisk utility for NTFS?
Can't map certain port and path with hosts file
Accidentally told Chrome to ignore Protocol Handler?
Hidden cells also get changed when I try to change a filtered cell
Extend own desktop with another one over the network in Linux
How do I make a bootable partition on my hard drive for a fresh os install?
how to enable procmon boot logging for every boot?