How to Create a Limited Access User in Linux. Creating a limited access user in Linux is an essential security practice.
By excluding from privileged groups, restricting the shell, and clearly defining permissions, you can considerably reduce the attack surface and ensure a controlled environment for specific operations.
How to Create a Limited Access User?
Creating limited access users is essential for Linux system security.
By restricting access, you reduce the risk of a user modifying critical files or running dangerous commands.
This guide shows you how to create an account with minimal rights, suitable for specific and secure tasks.
1. Creating a New User
Using the adduser command:
sudo adduser username
You will be guided to enter the password and other information. This user will have, by default, a home directory and the /bin/bash shell.
2. Removing sudo Access
Ensure that the user is not part of the sudo group:
sudo deluser username sudo
Check group membership:
groups username
3. Restricting the Shell (Optional)
If you want the user to not have access to an interactive shell:
sudo usermod -s /usr/sbin/nologin username
Alternatively, you can use /bin/false to completely block their login.
4. Creating an Isolated Working Environment (chroot jail)
To restrict access to a specific directory, you can use chroot or solutions like rssh or jailkit.
Example of creating a working directory:
sudo mkdir -p /home/limited/website sudo chown root:root /home/limited sudo chmod 755 /home/limited sudo chown username /home/limited/website
This way, the user can only work in the website folder.
5. Limiting Available Commands
You can control what commands the user can access by:
- modifying the
PATHvariable in the.bash_profileor.bashrcfile - creating a custom shell that allows only certain commands
6. Limiting SSH Access
To allow access only to certain users through SSH:
sudo nano /etc/ssh/sshd_config
Add the line:
AllowUsers admin username
Apply the changes:
sudo systemctl restart ssh
7. Restricting File Access
Using chmod and chown, you can restrict access to sensitive files:
sudo chmod 700 /etc/important sudo chown root:root /etc/important
8. Creating a Dedicated Group (Optional)
For additional control, you can create an isolated group:
sudo groupadd limited sudo usermod -g limited username
9. Monitoring User Activity
Activity logs can be analyzed in:
/var/log/auth.log
For real-time monitoring:
sudo tail -f /var/log/auth.log
10. Testing the Configuration
Before providing access to a real user, test the created account:
su - username
Check what directories and commands are accessible and ensure that the restrictions work according to plan.
Comments (0)