In many scenarios, you may want to provide a user access to a server via SSH but restrict them to read-only permissions. This is a common requirement for roles such as support staff or auditors who need to view files without modifying them. In this article, we will explore how to achieve read-only access for a user logged in through SSH.
Problem Scenario
The original problem can be expressed as follows: "How can I limit a user who logs in via SSH to have read-only access to the server?"
Here's a simple command snippet that shows a user logging in through SSH:
ssh username@server_ip
Implementing Read-Only Access
To restrict a user to read-only access, you can follow these steps:
Step 1: Create the User
First, you need to create a user account for SSH access:
sudo adduser readonlyuser
Step 2: Set Up the User's Home Directory
Next, you want to set the user's home directory to a specific location and restrict permissions:
sudo usermod -d /home/readonlyuser readonlyuser
sudo chmod 700 /home/readonlyuser
Step 3: Use Restricted Shell
To further limit the user's capabilities, you can set them up with a restricted shell. The rbash (restricted bash) shell is ideal for this purpose:
sudo chsh -s /bin/rbash readonlyuser
Step 4: Set Up Read-Only Permissions
You’ll need to adjust the permissions for the directories and files that the user will be able to access. For example, to give read-only access to a specific folder:
sudo chown -R root:root /path/to/directory
sudo chmod -R 755 /path/to/directory
Make sure the user can read the directory:
sudo setfacl -m u:readonlyuser:r /path/to/directory
Step 5: Add Allowed Commands
You can restrict the commands that the user can execute. This is done by creating a .bash_profile file in the user's home directory:
echo "alias ls='ls -l'" >> /home/readonlyuser/.bash_profile
Step 6: Test the Setup
Once you have completed the setup, you can test the access level by logging in as readonlyuser:
ssh readonlyuser@server_ip
Try creating or modifying a file to confirm that the user has read-only access.
Additional Considerations
- Security: Always audit user permissions and ensure that you are not inadvertently granting more permissions than intended.
- Backups: Make sure to have backups of important files before changing permissions, in case something goes wrong.
- Monitoring: Keep an eye on user activities using tools like
auditdorlogwatch.
Conclusion
By following these steps, you can limit an SSH user to read-only access, ensuring they can view files without the ability to modify them. This method is particularly useful for maintaining system integrity while allowing necessary visibility to authorized users.
Useful Resources
By adhering to these guidelines, you can maintain security and access control on your server efficiently.
