topic Re: To restrict the PATH on UNIX. in Operating System - HP-UX

To restrict the PATH on UNIX.

Damián Sarmiento — Tue, 11 May 2010 15:09:11 GMT

Hi.

I´m trying to restrict the path in an user on Unix.
The user has a home directory in /dir1/dir2/dir3
The are more directorys and I need the user doesn´t join another directory.

Can anybody help me to do this?

My OS is HP-UX B.11.31 U ia64

Thanks.

Regards.

Re: To restrict the PATH on UNIX.

Sri_kanth — Tue, 11 May 2010 15:36:12 GMT

Hi,

For which directory you don't want to access the user you can set the permisstion for that directory,chmod 700

Re: To restrict the PATH on UNIX.

Dennis Handly — Tue, 11 May 2010 15:39:01 GMT

The restricted shells, rsh/rksh do not let you use cd. Nor specify files or paths with "/".

Re: To restrict the PATH on UNIX.

Damián Sarmiento — Tue, 11 May 2010 16:14:52 GMT

Hi Sri sam

I did that procedure but it wasnÂ´t successful.

# cd /tmp
# mkdir dir1
# cd dir1
# mkdir dir2
# cd dir2
# mkdir dir3
# groupadd prueba
# useradd unix
# ll
total 0
drwxr-xr-x 2 root sys 96 May 11 11:44 dir3
# chown unix:prueba dir3
# ll
total 0
drwxr-xr-x 2 unix prueba 96 May 11 11:44 dir3
# cd dir3
# mkdir dir4
# ll
total 0
drwxr-xr-x 2 root sys 96 May 11 11:45 dir4
# chgrp users dir4
# ll
total 0
drwxr-xr-x 2 root users 96 May 11 11:45 dir4
# chmod 770 dir4
# ll
total 0
drwxrwx--- 2 root users 96 May 11 11:45 dir4
# cd ../..
# chgrp users dir2
# chmod 770 dir2
# cd ..
# chgrp users dir1
# chmod 770 dir1

passwd file [/etc/passwd]:
unix:*:115:109::/tmp/dir1/dir2/dir3:/sbin/sh

group file [/etc/group]:
prueba::109:

But when I log in with the unix user, its home directory is in the / directory. I guess it is because the dir1 has 770 Permissions.

---------------------------------------------

Hi Dennis Handly.

Thanks for your response.
It works!

Thank you.

Regards. :)

Re: To restrict the PATH on UNIX.

Damián Sarmiento — Tue, 11 May 2010 16:53:28 GMT

Hi again.

I have a question about the rsh.
This shell does not allow to change any directory.
Is there a way to can change only in my path?
For example:
$ whoami
dsarmien
$ pwd
/home/dsarmien
$ ll
total 0
drwxr-xr-x 2 dsarmien users 96 May 11 12:47 dir1
$ cd dir1
$ ll
total 0
$ pwd
/home/dsarmien/dir1

But in other directorys the system would restrict the access?
$ cd /
rsh: cd: The operation is not allowed in a restricted shell.
$ cd ../..
rsh: cd: The operation is not allowed in a restricted shell.
$

Any idea?

Thanks.

DASM

Re: To restrict the PATH on UNIX.

Steven E. Protter — Tue, 11 May 2010 17:13:08 GMT

Shalom DASM,

1) You can restrict path all you like, the user however can change it back.

2) Your restricted shell is working correctly in your last post. The point is to prevent cd up to root.

3) You have a third option called chroot ssh. Secure Shell (openssh) for HP-UX comes with a script to create a chroot ssh environment, but the response to your cd commands in your last post will be identical.

SEP

Re: To restrict the PATH on UNIX.

Dennis Handly — Wed, 12 May 2010 07:10:37 GMT

>Is there a way to can change only in my path?

rsh allows you to create aliases or functions that can invoke an unrestricted cd.

What you need to do is put enough checking there. Or always insert $HOME in front.

Re: To restrict the PATH on UNIX.

Aneesh Mohan — Wed, 12 May 2010 07:15:36 GMT

Hi,

>>The are more directorys and I need the user doesnÂ´t join another directory.

You can create a jail and limit a particular user direcoties using chroot in /etc/passwd of the user.

or

Use
/opt/ssh/ssh_chroot_setup.sh

Aneesh

Re: To restrict the PATH on UNIX.

Suraj K Sankari — Wed, 12 May 2010 07:42:49 GMT

hi,
you need to implement chroot...

http://tldp.org/HOWTO/Chroot-BIND-HOWTO.html

Suraj

Re: To restrict the PATH on UNIX.

Damián Sarmiento — Wed, 12 May 2010 14:24:34 GMT

Hi Steven, Dennis, Aneesh and Suraj.
Thanks for your responses.

Dennis, please could you tell me how can I insert $HOME in front?
That procedure is in the .profile file?

I understand the chroot is an operation that changes the apparent disk root directory for the current running process and its children, but what do I need to change in /etc/passwd of the user?

I followed the instructions according http://tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html but it was not successful.

Can anybody help me, please?

Thanks

DASM

Re: To restrict the PATH on UNIX.

Dennis Handly — Thu, 13 May 2010 08:29:43 GMT

>please could you tell me how can I insert $HOME in front? That procedure is in the .profile file?

It turns out it is less than ideal. You can't use aliasing nor functions. Nor can you use the name "cd".

If you set up a bin directory that doesn't allow write access to it or the files under it, you can create a script there called mycd:
#!/usr/bin/sh
cd $HOME/$1
exec /usr/bin/rsh

Then you can just use "mycd directory-path".

Unfortunately you will fork a new rsh each time you use this script:
yuk_rsh 10169 10166 -rsh
yuk_rsh 10185 10169 /usr/bin/rsh