HPE Community
Operating System - HP-UX
1758568 Members
1821 Online
108872 Solutions
New Discussion юеВ

Restricted Shell

 
SOLVED
Go to solution
Michael Geraghty_1
New Member

тАО11-10-2005 08:57 PM

тАО11-10-2005 08:57 PM

Restricted Shell

Hi

I have setup a a restricted sheel for a user, but I want to allow him to mkdir's in his home directory an be able to 'CD' into them

I know you can no cd out of your home directory - but can they not cd down ?

Thanks

Mick
0 Kudos
Reply
11 REPLIES 11
Muthukumar_5
Honored Contributor

тАО11-10-2005 09:01 PM

тАО11-10-2005 09:01 PM

Re: Restricted Shell

Are you set rksh to that specific user? He will not be able to execute cd command!

man ksh says,

The cd command cannot be executed by rksh.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
RAC_1
Honored Contributor

тАО11-10-2005 09:01 PM

тАО11-10-2005 09:01 PM

Re: Restricted Shell

How you have set restricted user??
There is no substitute to HARDWORK
0 Kudos
Reply
Michael Geraghty_1
New Member

тАО11-10-2005 09:04 PM

тАО11-10-2005 09:04 PM

Re: Restricted Shell

yes - I have set rsh as there shell in /etc/passwd.

Basically I wanted to setup a scp server for users that can only copy in and out of there own directories and maybe subdirectories in there $HOME

This cant be done with rsh then ?
0 Kudos
Reply
Muthukumar_5
Honored Contributor

тАО11-10-2005 09:07 PM

тАО11-10-2005 09:07 PM

Re: Restricted Shell

Then you can not give cd execution to that permission.

I've tried out this:

$ mkdir test
$ cd test
rksh: cd: restricted
$
$
$ echo "cd test" | ksh
ksh: cd: restricted

So you can not achive with rksh setting in /etc/passwd.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

тАО11-10-2005 09:15 PM

тАО11-10-2005 09:15 PM

Re: Restricted Shell

Basically I wanted to setup a scp server for users that can only copy in and out of there own directories and maybe subdirectories in there $HOME
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I hope scp will allow to access files under $HOME. Did you check with that? I am not having scp utility here.

Test as,
# Machine2:

touch /file1

# Machine 1 ---> Machine 2
$ scp test@Machine2:/file1 .
has to be failed

# Machine 1 ---> Machine 2
$ scp root@Machine2:/file1 .
has to be passed

for your requirement. Check revert with results.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Michael Geraghty_1
New Member

тАО11-10-2005 09:38 PM

тАО11-10-2005 09:38 PM

Re: Restricted Shell

I created a 'test' directory under the users home directoy

I was able to scp a file over to the new directory, if I ssh to the server, I can list the new file under $HOME/test but cant cd into it

This I could get away with if the user is using shell under unix - but if using something like WinSCP, it throws you out if you try to view the contents of ../test
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО11-10-2005 11:21 PM

тАО11-10-2005 11:21 PM

Re: Restricted Shell

We use restricted shell. As said before, you cannot cd to any directories.

Anyway, users does not need to cd to the directory to perform operations with the file. They just must specify the path to the file.

Why do you need to cd to that directory?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Michael Geraghty_1
New Member

тАО11-10-2005 11:30 PM

тАО11-10-2005 11:30 PM

Re: Restricted Shell

If they ssh to the server they can list what is in the directory no problem so copying to and from $HOME/test/test2 is no problem.

But, if using WinSCP or some other tool, it throws you out because when you click on the folder to list the contents - it uses "cd" to get in and list ??
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО11-11-2005 12:40 AM

тАО11-11-2005 12:40 AM

Solution

Re: Restricted Shell

With a restricted shell, you can limit what commands the user can execute - but not necessarily what he/she can do with those commands. The commands you allow to the restricted user must be able to perform similar restrictions internally, otherwise a tricky user might circumvent your restrictions.

If your goal is to create an user account for SSH file transfer which can access files only in the account's home directory and subdirectories, chroot is the answer.

The commercial SSH from ssh.com and newer versions of OpenSSH can be configured to chroot the session for certain users. When a session is chrooted, the user sees his/her home directory as a root directory. The subdirectories of the home directory are accessible normally, but the rest of the filesystem "does not exist" for him/her.

The disadvantage of chroot is that if the user is going to execute normal (non-chroot-aware) commands inside the chroot jail, you must supply the entire environment inside the jail. The sshd handles SFTP internally, so it does not need any libraries.

But if you need anything else, you must determine the correct libraries using "ldd" and "chatr" commands, and copy those libraries into the chroot environment. Symlinking does not help: the symlinks are interpreted within the context of the chroot environment.
MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.