I don't know how to do it with bash, but I know of another shell that restricts the user environment: lshell (limited shell).
A quick overview of configuration
Lshell is configured via an INI file. By default, it holds a whitelist of allowed commands, but it can be easily configured to prohibit user from using a specific command.
This configuration (default conf /etc/lshell.conf) prohibits user foo from using mkdir:
[foo]
allowed = 'all' - ['mkdir', 'bash', 'sh', 'csh', 'dash', 'env']
In order to configure a user account to use lshell by default, you must:
chsh -s /usr/bin/lshell foo
Lshell can do more, like:
- 3 levels of granularity: user, group, all.
- Can restrict access to certain paths in the system.
- Can restrict the use of certain characters (like
|). - Can restrict the use of certain commands only over SSH.
And more.
Update 1# Added Test Result :
rahul:~$ which bash
/bin/bash
rahul:~$ dd if=$(which bash) of=my_bash
*** forbidden syntax: dd if=$(which bash) of=my_bash
rahul:~$ bash
*** forbidden command: bash
rahul:~$ cp /bin/bash my_bash
*** forbidden path: /bin/bash
rahul:~$ /bin/bash
*** forbidden command: /bin/bash
rahul:~$ sh
*** forbidden command: sh
rahul:~$ dash
*** forbidden command: dash
rahul:~$ env bash
*** forbidden command: env
rahul:~$ cp /bin/mkdir mycreatedir
*** forbidden path: /bin/mkdir
