topic Re: How to restrict user from issuing an rm command in HP-UX? in Operating System - HP-UX

How to restrict user from issuing an rm command in hpux?

chui_88 — Thu, 17 Oct 2013 11:03:53 GMT

Hi guys,

I would like to know whether i could restrict an user from issuing an rm command in our production servers. There is a common user used to login to our PROD servers, but we would like to restrict this user from issuing a rm command.

Please advice me how best i can achieve this.

Regards,

Chui

Re: How to restrict user from issuing an rm command in HP-UX?

Dennis Handly — Fri, 18 Oct 2013 22:51:43 GMT

What commands do you want to ALLOW? Would this allow using the restricted shell?

Would a chroot jail work for those users?

Re: How to restrict user from issuing an rm command in HP-UX?

chui_88 — Fri, 18 Oct 2013 10:21:18 GMT

Hi Dennis,

# rm command is not allow to used in shell prompt . No
Regards,
Chui

Re: How to restrict user from issuing an rm command in HP-UX?

Torsten. — Fri, 18 Oct 2013 11:18:20 GMT

Please tell more about the scenario.

"rm" is not the only method to delete a file.

Remember, the user can only delete files if he is the owner (of if he has write access).

Re: How to restrict user from issuing an rm command in HP-UX?

Dennis Handly — Fri, 18 Oct 2013 22:50:21 GMT

>"rm" is not the only method to delete a file.

Like deleting the contents. :-)

>the user can only delete files if he is the owner (of if he has write access).

Owner on the file is only important if sticky bit is set for a directory (like /tmp and /var/tmp).

Otherwise write access to the directory is enough.

Re: How to restrict user from issuing an rm command in HP-UX?

Bill Hassell — Sat, 19 Oct 2013 00:57:58 GMT

>> Remember, the user can only delete files if he is the owner (of if he has write access).

Actually, that isn't true at all. The file's protection (owner and permission) only cover the contents of the file.

The existence of a file is controlled by the directory, not the file.

A file that is owned by root and zero permissions but resides in a directory that allows write access for a user, the file can be renamed or removed.

As mentioned, the rm command is just one of many ways to destroy a file. If a user is improperly trained or careless, then the user should not be allowed to run a normal shell. The restricted shell is a possibility, but the ideal solution is a simple menu script that only allows certain actions. And of course this user can never be allowed to login with root privileges.

Re: How to restrict user from issuing an rm command in HP-UX?

chui_88 — Tue, 22 Oct 2013 10:42:22 GMT

Hi Bill,

The first step is to edit the file at .profile and then i add a line alias rm='/usr/bin/rm -i' as shown below.

# vi .profile
# @(#) $Revision: 74.2 $[H

# Default (example of) super-user's .profile file

# Do not put "." in PATH; it is a potential security breach.
# Do not put "/usr/local/bin" in PATH; it is a potential security breach.
# Example assumes /home/root exists.
set +u

PATH=/usr/sbin:$PATH:/sbin:/home/root:/usr/cd0
alias rm='/usr/bin/rm -i'

# Be sure that VUE does not invoke tty commands

if [ ! "$VUE" ]; then

# Set up the terminal:
if [ "$TERM" = "" ]
then
eval ` tset -s -Q -m ':?hp' `
else

Second step is to change a directory to cd /usr/bin and then issue a command chmod 400 rm as shown below.

-r-xr-xr-x 1 bin bin 81920 Feb 9 1999 rlog
-r-sr-xr-x 1 root bin 45056 Aug 3 1998 rlogin
-r-------- 2 bin bin 28672 Nov 7 1997 rm
-r-sr-sr-x 2 root mail 45056 Nov 7 1997 rmail

Last step is to run the command as shown below.

# rm chui
rm: chui non-existent

Any simple menu script that only certain user not allow to used the rm command?

Regards,
Chui

Re: How to restrict user from issuing an rm command in HP-UX?

Torsten. — Tue, 22 Oct 2013 13:07:49 GMT

What if I as a user run /sbin/rm ?

Re: How to restrict user from issuing an rm command in HP-UX?

Bill Hassell — Tue, 22 Oct 2013 13:55:49 GMT

>> Second step is to change a directory to cd /usr/bin and then issue a command chmod 400 rm as shown below.
>> -r-------- 2 bin bin 28672 Nov 7 1997 rm

You have just destroyed the rm command for every user including root. True, if root is logged in, then the root user may change the permission back again. However, there are dozens of programs and scripts that use the rm command and they will start failing once you do this.

Removing the rm command is the wrong way to fix the real issue. It will make your system very unreliable and still the untrained (untrustworthy?) user is free to use other commands to destroy files and directories. This user must not be allowed to logon to the system at all, or given a simple menu to perform their tasks.

Attached is a simple menu script. Replace the user's shell in /etc/passwd with this script. To add additional features, you'll need some scripting skills.