Is it possible to have bashrc grab every single command the user types, save for those containing a given word?
Like the way you can use aliases to change what the user meant, you can alias for instance 'cd' to nothing. that way the user can't apply that command anymore.
Maybe that way you can have a given user only able to apply one command?
If you only need users to access files remotely with sftp or rsync, but not be able to run shell commands, then use rssh or scponly.
If you need users to be able to run only a few programs, set a restricted shell for them, such as rbash or rksh. In a restricted shell, PATH cannot be changed and only programs in the path can be executed. Beware not to allow programs that allow the user to run other programs, such as the ! or | command in vi. Access to files remains controlled by the file permissions.
CHROOT file in the rssh documentation.
– Gilles 'SO- stop being evil'
Aug 21 '13 at 13:46
authorized_keys? Yes, that's possible. It gives you finer control: you can have different keys allowing different commands. Filtering the command is tricky; it works well if you want e.g. to only allow sftp, less well if you also want to allow scp and rsync.
– Gilles 'SO- stop being evil'
Aug 24 '13 at 19:15
/usr/share/doc/rssh.
– Gilles 'SO- stop being evil'
Aug 24 '13 at 19:41
Some shells (ksh, f.e.) have restricted mode, in this mode they will not execute anything outside $PATH.
chroot? – ott-- Aug 20 '13 at 19:35