topic Re: How to prevent a users from using a specific command in Operating System - HP-UX

How to prevent a users from using a specific command

Mouad_1 — Thu, 30 Jun 2005 04:59:33 GMT

How I can prohibit the use of a command by a user (for example tar) ?

Re: How to prevent a users from using a specific command

Pete Randall — Thu, 30 Jun 2005 05:02:46 GMT

Put an alias for tar in the user's .profile that points to a null command or write a wrapper script for tar that checks the userid before invoking the real tar.

Pete

Re: How to prevent a users from using a specific command

Mouad_1 — Thu, 30 Jun 2005 05:13:46 GMT

Thanks a lot Pete.
I put
alias tar=''
in the .profile of the users
It works fine.

Re: How to prevent a users from using a specific command

Pete Randall — Thu, 30 Jun 2005 05:29:44 GMT

The only problem with either approach is that a knowledgeable user can work around them by invoking the real tar with the full path name of the command. To be really secure, you would actually have to hide the real command somewhere else.

Pete

Re: How to prevent a users from using a specific command

Mouad_1 — Thu, 30 Jun 2005 05:46:57 GMT

You're right, but inserting these 2 line :
alias /sbin/tar='echo "not allowed : tar"'
alias tar='echo "not allowed : tar"'
into the .profile will do the jobs .

Re: How to prevent a users from using a specific command

Muthukumar_5 — Thu, 30 Jun 2005 06:35:52 GMT

You can control /sbin/tar execution by putting as,

alias /sbin/tar='echo "Not allowed : tar"'

# alias /sbin/tar='echo "not allowed : tar"'
sh: /sbin/tar=echo "not allowed : tar": Invalid alias name.

hth.

Re: How to prevent a users from using a specific command

Muthukumar_5 — Thu, 30 Jun 2005 06:42:30 GMT

Sorry. You can cannot control by putting /sbin/tar as an alias.

You can try with another way by writing a shell wrapper as,

mv /sbin/tar /sbin/tar.org

#!/bin/ksh

if [[ $LOGNAME = "" ]]
then
echo "Permission Denied"
exit 1
else
/sbin/tar.org $@
fi

exit 0
#

save this file as /sbin/tar with bin:bin -r-xr-xr-x permission.

hth.

Re: How to prevent a users from using a specific command

Mouad_1 — Thu, 30 Jun 2005 06:49:34 GMT

I've tried making alias for both command and its absolute path and it works !? :
$ tar cvf m.tar file*
not allowed : tar cvf m.tar file1 file2
$ /sbin/tar cvf m.tar file*
not allowed : tar cvf m.tar file1 file2

Anyway, reWriting the command with a script as you said seem to be a good idea. Thanks

Re: How to prevent a users from using a specific command

Roland Piette — Tue, 05 Jul 2005 08:09:18 GMT

Hi all

Nice to work with aliases but ..... it doesn't work in subshell.

I try this following under HP-UX 11.0 & 11i :

alias ls="ls -l"
ls
ksh
ls

The second ls doesn't give the same output !

I try also -x option in alias command ... same effect.

This solution is only valid in the current shell.

Best regards.
Roland

Re: How to prevent a users from using a specific command

Ralph Grothe — Tue, 05 Jul 2005 09:43:23 GMT

Maybe a bit far fetched,
but to really restrict a user and hinder him from issueing certain commands you would need to capture his login in a chroot or jail environment.
Another approach is followed by concepts like SELinux or role based access control (aka RBAC)
If you search www or knoledgebase on these topics with respect to HPUX I'm sure will find many howtos.

Re: How to prevent a users from using a specific command

Amit Agarwal_1 — Wed, 06 Jul 2005 00:17:32 GMT

Try setting ACL (access control list) for the binary. You can use setacl and getacl commamnds for the same. Please see manpage for more info.