Limit ssh user to run only shell script and transfer parameters to it

Is it possible in OpenWrt limit another added (not root) ssh user with root rights to run only one script and transfer parameters ($1, $2 ...) to it with disabled access to shell?

Your question is hard to follow.

you say (not root) followed by 'with root rights'

If access to shell is disabled, where is user typing command and parameters?

Are you wanting to replace the default login shell? This stackflow ariticle may help.

In Linux you can set suid bit to run a script as file owner. Not sure if that is supported in OpenWrt. So you could have a user run a script that would execute as root. There are some security implications.

Hi, thanks for your answer.

Your url is not open, but i have found that i can change in /etc/passwd:


but it doesn't work for me in OpenWrt.

Maybe there is another solution?

the link is wrong, it points back to this thread.

perhaps you should tell us what you're trying to achieve ?

I need to run remotely on router side shell scipt from ssh and transfer some parameters to it (so, script need to be run with full access), for example:

sshpass -p somepassword ssh someuser@ '/home/someuser/somescript parameter1 parameter2 parameter3'

But user must can't change this script (only read and run) and can't have access to other files by ssh (can't login to it, or if login - can access only home dir with read only).

by user, do you mean the OS account, or a physical person ?

I will add user on router side, but script will launch remotely from other side, password will be opened and seen by others on remote side, so it's not safe - anyone can get password, login to router by ssh and make any changes / see files etc. Need to limit possibility only to run script on router side as described.

ok, so what exactly isn't working ?

I have no issues creating, and logging in, with a newly created user, and executed a script
that won't let me use the cli, but closes the connection.

Seems that script doesn't run and i don't know how transfer parameters to it... When /bin/ash enabled - scipt is run without problems.

from remote, or locally ?

From remote and locally.

ok, keep ash, and add exit to ~/.profile, and hope it doesn't kill your script in the process :wink:

1 Like

i need add exit to:

yeah. it'll kill the cli access for that user, the login will work, but the session will be closed.

Ahh, it's not an solution as i am expected, because i can run every command on router, even:
'echo -e "password\npassword" | passwd root'
and then login to ssh by root)))

Is there any possibility to limit user in his home folder?

then don't put it in the root group, and use sudo for the (root) commands you'd like to allow ?

there's also chroot.

here is the link on changing default shell
says you have to add new shell to /etc/shells

I have temporary disable "exit", connect by ssh and trying under "someuser":
sudo su
sudo root
but no one passwords of all known is accepted.

Have you updated sudoers?

What you mean?