Restricting user access

Email-only access

Create a user account with a home directory of /dev/null and a shell that does not permit logins, such as /bin/false or /dev/null.

FTP-only access

Set the user's shell to one that does not permit logins, such as /bin/false or /dev/null.
Note: your FTP server may require that the user's shell is listed in the /etc/shells file.

Preventing FTP access

Add the user's account name into /etc/ftpusers.

Restricted access

Set the user's shell to a restricted shell such as /bin/rksh or /bin/rsh.

This prevents:
1. Use of the cd command
2. Setting or changing the PATH variable
3. Specifying a command or filename containing a slash (/) -- only filenames in the current directory can be used
4. Using output redirection (> or >>).

Restricting by user group

Add the following to /etc/profile:

if [ -n "`groups | grep {group_name}'" ] ; then

echo "Users from group {group_name} cannot login to this machine."
exit 1
fi

This would restrict telnet and rsh access for users using Bourne shell or Korn shell. C shell users would still be able to access the machine.


Thanks to Augustus Carter for sending the following method of restricting C shell, Bourne shell, and Korn shell access on Solaris systems.

The following will restrict the C Shell as well as Bourne and Korn shells under Solaris 2.6, 7, 8, and 9 systems:
                                                                               
Create a text file called:
/etc/su_users.txt
                                                                               
This will have any entries of usernames like this:
luke
hans
leia
                                                                               
Add the following code to the /etc/profile file:

# 04-26-2002 - Restricts telnet and ssh access for batch user accounts
# Bourne (sh) and Korn (ksh) shell users use the script in the /etc/profile file
# C (csh) shell users use the script in the /etc/.login file
# The /etc/su_users.txt file contains the list of batch accounts.
TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
USER_TTY=`w | awk '(\$2=="'$TTY'"){print \$1}'`
for USERID in `cat /etc/su_users.txt`
do
   if [ "$USER_TTY" = "$USERID" ]
   then
      echo
      echo Interactive logins for the $USER_TTY user are disabled.
      echo Please login with your user id and do a su - $USER_TTY.
      echo
      exit
   fi
done
                                                                               
Add the following code to the /etc/.login file:

# 04-26-2002 - Restricts telnet and ssh access for batch user accounts
# Bourne (sh) and Korn (ksh) shell users use the script in the /etc/profile file
# C (csh) shell users use the script in the /etc/.login file
# The /etc/su_users.txt file contains the list of batch accounts.
set TTY=`tty | awk -F/ '{printf ($3"/"$4)}'`
set USER_TTY=`w|awk '{if ($2=="'$TTY'") print $1}'`
foreach USERID (`cat /etc/su_users.txt`)
if ( "$USER_TTY" == "$USERID" ) then
   echo
   echo Interactive logins for the $USER_TTY user are disabled.
   echo Please login with your user id and do a su - $USER_TTY.
   echo
   logout
endif
end

Back to brandonhutchinson.com.

Last modified: 06/08/2004