topic user capabilities (restricting commands) in Operating System - HP-UX

user capabilities (restricting commands)

Stephen Badgett — Tue, 17 Feb 2004 13:34:05 GMT

I need to create a user that has a lot of restrictions. I want this user to not be able to do commands like "ls".

umask in the dot profile does seem to set the capabilities for this user to have have write permissions on files this user creates and I used SAM to create this user with the rsh as there shell but I do not the talent to go further.

help,
Steve

Re: user capabilities (restricting commands)

Steven E. Protter — Tue, 17 Feb 2004 13:38:07 GMT

ls is a pretty basic command but:

put the user in a special group.

whence ls

gives you the lcoation of ls

chmod o-x ls

No users outside the root group will not be able to use ls.

For a finer level of control you;ll need ACL

OR:

rsh shell

That user will only get the commands you give and can not cd up the directory tree. They are in a chroot jail

create a chroot user. Less restrictive shell but same basic concept, can't get out of choot jail, can only get commmands you give.

I'd copy the commands into /home/username/bin for example.

SEP

Re: user capabilities (restricting commands)

Sridhar Bhaskarla — Tue, 17 Feb 2004 13:47:40 GMT

Hi Steve,

You an use '/usr/bin/rsh' the restricted shell that can be customized to allow the user to do |not to do what you want.

Configure the user with the shell /usr/bin/rsh. Create a profile for this user with only the following statement.

PATH=/usr/restrict/bin

Change the ownership of the .profile to root:root with 400 permissions.

Now copy only the executables that you want the user to run in /usr/restrict/bin. For ex., if you want the user to run only ftp then 'cp /usr/bin/ftp /usr/restrict/bin/ftp'. With this configuration the user can only run ftp on the system.

Rest is upto your choice.

-Sri

Re: user capabilities (restricting commands)

Stephen Badgett — Tue, 17 Feb 2004 14:39:28 GMT

thank you for your reply Sri

I gave the user 'usr/bin/rsh' and created the .profile with the PATH=/usr/restrict/bin and copied what I want this user to exec into a /usr/restrict/bin and login as that user fine. But, this users is still able to do commands like ls. I echo'd the PATH from the command line and the PATH was long like a regular user. I though by create a .profile with a PATH statement would replace the PATH with the new one.

Re: user capabilities (restricting commands)

Stephen Badgett — Tue, 17 Feb 2004 15:04:05 GMT

Steven

I am also looking at you reply too.

Steve

Re: user capabilities (restricting commands)

Stephen Badgett — Tue, 17 Feb 2004 17:12:01 GMT

I started over again and it seem that I got the PATH statement to show just the new PATH.

Thanks for you help
Steve

Re: user capabilities (restricting commands)

Andrew Cowan — Wed, 18 Feb 2004 03:35:28 GMT

You could install and configure sudo, then put the user in its own group, and give it the fewest possible privileges (as outlined above).

Now you could setup very specific jobs in sudo, perhaps via a shell-script menu. Its not foolproof but will greatly restrict what this user can do, whilst providing an audit trail.

Re: user capabilities (restricting commands)

Karthik S S — Wed, 18 Feb 2004 03:42:30 GMT

sudo can give you finer level of control for what you need.

www.courtesan.com/sudo

-Karthik S S

Re: user capabilities (restricting commands)

Stephen Badgett — Wed, 18 Feb 2004 11:44:50 GMT

thank you Andrew and Karthik,

Thank you both, I will also look into what sudo is and can do.

Steve