Creating a UNIX account which only executes one command

Question

Is there a way to create a user account in Solaris which allows the users to run one command only? No login shell or anything else. I could possibly do it with /usr/bin/false in /etc/passwd and just get the user to ssh <hostname> <command>, but is there a nicer way to do it?

score 18 · Accepted Answer · edited Apr 17 '13 at 11:47

18

You could used a forced command if the users can only connect through ssh. Essentially, whenever the user connects through ssh with a certain key and a certain username, you force him to execute a command (or a script or) you determined in the .ssh/authorized_keys. Commands issued by the users will be ignored.

For example:

# in .ssh/authorized_keys
command="cd /foo/bar && /path/to/scripts/my_script.sh arg1 arg2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa public_key

edited Apr 17 '13 at 11:47

Tobu

6,593

answered Oct 27 '10 at 09:20

Barthelemy

5,215

Well you were both right. What I done was created a script which supplies a menu on the prompt and used the forced check command in .ssh/authorized_keys on the server in front of the key for the authorized user. This now enables him to ssh to the server and at the prompt is given a nice menu with several commands to execute. Nothing else can be run. Happy days! – Will Dowling Oct 29 '10 at 12:44
3

Edited; you need these options to secure a forced command: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty". – Tobu Apr 17 '13 at 11:00
Thanks so much! – Oleg Reym Jul 12 '21 at 18:20
If you're using openssh server 7.2 or later (which you probably are by now), you can use the single option "restrict" instead of all the "no-" options. See https://unix.stackexchange.com/a/560127/135943 – Wildcard Oct 25 '23 at 20:26

score 12 · Answer 2 · answered Oct 27 '10 at 08:04

You could set the shell of that user to a script just running the command you want to allow: Whenever the user logs in, the command is run, then the user is logged out. And since there's no "full shell" you don't have to deal with the user trying funky stuff ;)

score 0 · Answer 3 · answered Mar 03 '17 at 20:30

0

I'm wondering if you could do this with RBAC and giving the user a privileged shell (pfsh, pfcsh, or pfksh) and creating a profile for the commands the user(s) would be allowed to run.

answered Mar 03 '17 at 20:30

sleepyweasel

1,013

Creating a UNIX account which only executes one command

3 Answers3

Linked

Related