topic Re: Limiting user logon and always running script as root in Operating System - HP-UX

Limiting user logon and always running script as root

Mike Rightmire — Fri, 16 Feb 2001 23:02:24 GMT

Hey Gang,

This is a two fold question which, hopefully, is not too tough.

First, I want to set a user up so that ...

a) His root directory is the home/username directory. I tried adding the "home/username/./:" to the /etc/passwd file, but it does not work. I want the user limited to his directory and subdirectories ONLY.

b) If possible, I would also like to limit this user to being able to do nothing but login, run a script, see the input from the script and enter "yes" or "no" to a prompt. Nothing else.

Second ...
I would like the script he starts to run as root, although the non-root user account needs to start the script and he needs (obviously) LESS than root permissions.

Thanks again for all the help!
Mike

Re: Limiting user logon and always running script as root

Rob Smith — Fri, 16 Feb 2001 23:25:43 GMT

Couple of ideas. You can force the user to run a restricted shell, /usr/bin/rsh, when the user is in a restricted shell they cannot change directories, environment variables etc. As far as the script you can change the last line in .profile to exec "script name" and that will execute the script. To run is as root you will have to SUID it which is not wise but if you have to you have to.

Hope This Helps!

Rob

Re: Limiting user logon and always running script as root

Sam Nicholls — Fri, 16 Feb 2001 23:52:16 GMT

Another possible solution is to specify the script as the user's login shell in the /etc/passwd file. For example:

guest1::26669:66:Guest1:/home/guest1:/bin/guestscript

Then you'll have to add the script pathname to the /etc/shells file so that login will recognize it as a valid login shell...

/etc/shells:
/sbin/sh
/bin/sh
/bin/csh
/bin/ksh
/bin/guestscript

When the user logs in, the login process forc/execs the script. When the script exits, the login session is terminated.

To make the script execute with root permission, make it owned by root and turn on the setuid bit...

chown root /bin/guestscript
chmod +s /bin/guestscript

-sam

Re: Limiting user logon and always running script as root

Mike Rightmire — Tue, 20 Feb 2001 17:09:55 GMT

Dear Rob and Sam,

Thanks for the great advice! You are both right on target, however (unfortunately) you both got me half way there...and your answers SEEM to be mutually exclusive.

I tried the rsh option, which worked fantastic for limiting the user, however for some reason it refuses to allow me to run the script.

The script is running a command that can only be run by root, and needs to create logfiles in other directories. I have the suid set so the command will run if the user is logged in with a regular shell and, I tried having the logfiles created in the restricted user's home directory, but the issue seems to be with the command which can only be run as root. It does not want to run if invoked from the restricted shell.

I also tried changing the passwd file so the script runs as the shell when the user logs on, but all I get when logging the user on is a "no shell" error. I tried to add the path to the /etc/shells file (which did not exist, so I created it) but that did not work either. As this is HP-UX 10.20, I wonder if there is not a "shells" file which it looks to so that would work.

So, we are about half way there. Any other suggestions to either get the above issues resolved, or a different route to the end result?

Thanks again!
Mike

Re: Limiting user logon and always running script as root

Patrick Wallek — Tue, 20 Feb 2001 17:22:00 GMT

You could use sudo to do this. Sudo allows you to set users up to run things with root privilege without actually giving out the root password. You can download sudo at http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

What you can do with this is have the users shell set the restricted shell. Then have sudo set up so that the user can run the script. At the shell prompt the user would enter 'sudo scriptname'.

Another option would be to set up the .profile so that it will do an "exec sudo scriptname" and that way when the user gets done with the script the login will be terminated.

Re: Limiting user logon and always running script as root

Mike Rightmire — Tue, 20 Feb 2001 19:48:23 GMT

Hmmm...OK. I got it to work, but I can't explain something. Maybe you can help.

I looked into SUDO, which looks like a fantastic solution, however I still need to play with it to see if I can get it functioning.

I DID manage to get the script to run as the logon shell, which works exactly for what I need, however...I was not able to get it to function by editing the passwd file.

When I changed the logon script in the /etc/passwd file to /home/username/scriptname, and then tried to logon, I got a 'no shell' error.

If I went into SAM, removed the account, recreated the account (exactly the same) and placed the /home/username/scriptname THROUGH SAM as the logon shell, it worked great.

Any explanations??!

Thanks though for all the help! I got it to work!
Mike

Re: Limiting user logon and always running script as root

Sam Nicholls — Tue, 20 Feb 2001 23:20:12 GMT

Mike,

Has your system been converted to trusted? I don't really understand why it worked via SAM but not via direct editing of /etc/passwd and /etc/shells. On my non-trusted, 10.20 system, I was able to do it just like I detailed in my first reply.

Maybe on trusted systems there is additional magic that must be done and SAM does it automatically. Now that the magic appears to have been done, you may be able to add/modify additional users be editing /etc/passwd.

-sam

Re: Limiting user logon and always running script as root

Mike Rightmire — Wed, 21 Feb 2001 19:24:43 GMT

Hey Sam,

I really can't answer the question of whether the system has been converted to trusted, as I really just inherited them.

How would I check?