topic customized shell in Operating System - HP-UX

customized shell

Zampo — Thu, 09 Mar 2006 09:11:39 GMT

Hi there!
I need to create a particular shell and assigne it to a particular user (only one in the system) writing it in the /etc/passwd file.
This shell is allowed to execute only these commands:
ls -l
cd
cat
And nothing else. Is it possible?
Any idea?

Thank you
Vale et valete
ZAMPO

Re: customized shell

James R. Ferguson — Thu, 09 Mar 2006 09:18:20 GMT

Hi :

What you need to do is setup the user with a "restricted" shell ('rsh'). See the 'sh-posix' manpages under the section headed "rsh Restrictions":

http://docs.hp.com/en/B2355-60127/sh-posix.1.html

Regards!

...JRF...

Re: customized shell

Jeff_Traigle — Thu, 09 Mar 2006 09:21:03 GMT

You want to configure restricted shell (/usr/bin/rsh) for them. Been a long time since I played with it though and I see no man page for it in 11.11, unfortunately. I seem to recall it required copying whatever executables you wanted the restricted user to use into a location they could access.

Re: customized shell

Jeff_Traigle — Thu, 09 Mar 2006 09:21:49 GMT

Ah... the man reference was somewhere obvious. :)

Re: customized shell

A. Clay Stephenson — Thu, 09 Mar 2006 09:31:40 GMT

rsh will not allow the cd command. I suppose my approach would be a small c program that parses stdin and exec()'s your 3 listed command.

Re: customized shell

Enrico Rossin — Thu, 09 Mar 2006 09:32:42 GMT

There are only a few settings that force a restricted shell user to stay in their restricted shell. If any of the steps to create a restricted user are in error or are later modified, the restricted user could gain access beyond what you are expecting. Since you have placed this user in a restricted shell, common sense says this is not a user you want snooping around your system. In order to understand the reason for these new settings, letâ s review the required steps for a restricted shell user:

1). The login shell listed in /etc/passwd is /usr/bin/rsh

2). The userâ s home directory must have permissions of 555

3). Create a bin directory in the userâ s home directory, also with permissions of 555

4). The userâ s .profile will have only one entry:

export PATH=/home/guest/bin

5). The permissions on the userâ s .profile will be 444 and owned by root/sys

6). Copy only the programs needed by the user to their bin directory

7). Add the user to the /etc/ftpd/ftpusers file

8). Restrict the user from other services using other configurable access control files

Re: customized shell

Bill Hassell — Thu, 09 Mar 2006 18:35:40 GMT

Actually, writing a small shell script with a simple menu will work. Your menu script will present the 3 (or more) commands in a list and if the command is not listed, the user has no access. Note that cd (unrestricted) may be too much of a privilege if this user is not well trained. Note that ls and cat can list any file from any directory where the user has permission. No need to cd. The restricted shell cannot cd outside the user's HOME directory.

Re: customized shell

Zampo — Tue, 14 Mar 2006 10:41:18 GMT

Many thanks to everyone!!!

Vale et valete
ZAMPO