Restrict Access
When you create an SSH tunnel to your server, there is no need for Adobe Commerce Intelligence to have access to anything but the database. If you do not want Commerce Intelligence to have full access to the server that houses your database, you can restrict access by forcing the Commerce Intelligence Linux user into a restricted bash shell.
You may have guessed from the name, but a restricted bash shell is used to set up an environment more controlled than the standard shell. The important thing about this type of shell is that restricted shell users cannot access system functions or make any kind of modifications.
To restrict the Commerce Intelligence Linux user, you must do two things:
-
Change the PATH environment variable to be the empty string. This means that the user cannot access system executables.
-
Make sure that the shell executed is
bash -r
Both of these can be done inside the authorized_keys file in the user’s home dir/.ssh directory as part of the command that is executed when the user logs in. It looks something like this:
... other keys ...
command="env PATH="" /bin/bash -r" <rjmetrics public key goes here>
... other keys ...
When this is complete, the user you created for Commerce Intelligence cannot make changes to your system.