How can i restrict command line on ubuntu server

I want to restrict the command line Ubuntu for all users.

But if I write a super user command like "enable" or something like that. Ubuntu should ask for my superuser password and if I entered it correctly it has to open to normal unrestricted bash.

How can I do this?

I saw some examples with a QR code. They run the superuser command and the OS shows some random characters and QR code on the screen. They scan this QR and their application creates a one-time password. How can they do that? If it has an application for this what is the name of this application?

This is a rather general answer, since your question also seems rather broad.

Strictly speaking, normal users are already quite limited in what they can do. Normal users can:

• Modify files in their own home directory.
• View system files that are not restricted
• Run most applications - that still by default only modify files in their home directory

The superuser command you most likely refer to is the sudo command (by default). If a user is in the sudo group, they can get elevated privileges, but this should only be given to system administrators.

It is possible to further limit what normal users can do, by doing the following (but this requires a lot of manual tweaking):

• You can limit read access to some system files - for instance you could change permissions for /var/log/apt from 0644 to 0640 to prevent normal users from viewing apt logs.
• You can limit execution access for specific binaries - for instance you could change permissions for /usr/bin/cat from 0755 to 0750 to prevent normal users from executing the cat command.

However, the above examples require manual tweaking for every single file/directory and every single binary you want to exclude from normal users.

Because of this, you should probably elaborate on which restrictions you actually want to impose, to see if it makes sense.

It's hard to answer without knowing what exact type of restrictions do you want to apply, but there is something called restricted shell. According to the manual, the following things are disabled in a restricted shell:

• Changing directories with the cd builtin.
• Setting or unsetting the values of the SHELL, PATH, HISTFILE, ENV, or BASH_ENV variables.
• Specifying command names containing slashes.
• Specifying a filename containing a slash as an argument to the . builtin command.
• Specifying a filename containing a slash as an argument to the history builtin command.
• Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.
• Importing function definitions from the shell environment at startup.
• Parsing the value of SHELLOPTS from the shell environment at startup.
• Redirecting output using the >, >|, <>, >&, &>, and >> redirection operators.
• Using the exec builtin to replace the shell with another command.
• Adding or deleting builtin commands with the -f and -d options to the enable builtin.
• Using the enable builtin command to enable disabled shell builtins.
• Specifying the -p option to the command builtin.
• Turning off restricted mode with set +r or shopt -u restricted_shell.

Basically, the goal of all these restrictions is to give the user an environment in which only a few strictly defined commands are possible to execute (of course besides setting a restricted shell for the user this requires appropriate setting of shell startup files, predefined command directories etc.), for example some kind of a "guest" account without a password that anybody could log into, but can use it for example only to ssh to other machines in the network.

Optionally, you can give the user access to a specific command/script that after entering a password runs a normal unrestricted shell, but you must be aware that once given access to an unrestricted shell, the user can set their shell permanently to the normal unrestricted shell, thus removing all mentioned restrictions. So using a restricted shell makes a practical sense only if the user is not able to get out of it to a normal unrestricted shell.