0

I've created a service account in my Redhat machine. The purpose of the account is to execute the bash script which I had created.

The bash script basically checks the system properties like cpuinfo, ifconfig, network status, ports, processes, file permissions and device status etc.,

Now how do i make my service account to execute only the script which I had created, other than that this account should not do anything, even if someone logs in on my server with the service account credentials they should not be able to do even the basic commands like ls,cp,mv,date etc. except the script execution.

vinu
  • 41

1 Answers1

0

based on your subject of how to restrict access of an account in linux,

you would create that account as well as a new group for it, where the group name could be the same as the account name for example. The result would be only this user account would be in this new group and it would be completely unique where nothing else on the system has owner or group permissions related to this new service account name and service account group. Then set your bash script to be owned by this service account and service group name. In addition, set the login shell for this account to either /bin/false or /bin/nologin.

What's the difference between /sbin/nologin and /bin/false

However keep in mind, you just created a new account with the sole purpose of running a script YOU created. From a security perspective you just did an extra step that is of little value, and now anyone other than you who sees this new service account running in the background without knowing will scratch their head and wonder what the heck is that.

A better way is since it's your script, keep it owned by you - you are a valid user and everyone will recognize your account when tied to some running process - and then use the setuid bit on your script to give it the permissions to do the tasks since most of what you mentioned for checking system properties require root privilege

I had mentioned taking advantage of SETUID and that was incorrect because you using a shell script, for reasons which can be explained here: Allow setuid on shell scripts

However, if you write and compile a program to do the things you need, whose executable would be owned by you, then you could take advantage of SETUID on that executable:

Using the setuid bit properly

ron
  • 6,575
  • 1
    Scripts correctly cannot use the SUID bit by default. It isn't possible not to use a service account in some work environments, like all US government organizations. A service account is meant to be configured for only the access that it requires and nothing else, which might be configured via sudo (no password to run a single script). The account password could be disabled with passwd -l user, and the login shell could be changed. – Christopher Apr 27 '17 at 15:26
  • thanks for pointing that out, i forgot he was talking about a shell script. – ron Apr 27 '17 at 17:17