https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689650#M549533 The root filesystem is xvfs:<BR /><BR /># bdf /<BR />Filesystem kbytes used avail %used Mounted on<BR />/dev/vg00/lvol3 212992 138744 73808 65% /<BR /># fstyp /dev/vg00/lvol3<BR />vxfs<BR /><BR />I've now tried amending the ACL for /usr/bin/telnet. This has meant I can restrict access to the executable, and it seems to work in practice. Not very pretty, but it works. Guess I can do the same with the SSH exe.<BR /> Thu, 05 Jan 2006 10:46:44 GMT Robin King_1 2006-01-05T10:46:44Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689641#M549524 We're trying to stop a certain group from telneting/sshing out from a server. This is something that is done on Solaris within the firm, but this is the first time we're attempting it on HP-UX. <BR /><BR />They use setfacl on Solaris, I've used setacl on HP-UX. <BR /><BR />We're removed access to /dev/tcp and /dev/udp for a group called "hcl". <BR /><BR />Everything looks cool but doesn't have the desired affect. <BR /><BR />$ id<BR />uid=98512(username) gid=106(hcl) groups=20(users)<BR />$ groups<BR />hcl users<BR />$ getacl /dev/tcp<BR /># file: /dev/tcp<BR /># owner: root<BR /># group: root<BR />user::rw-<BR />group::rw-<BR />group:hcl:---<BR />class:rw-<BR />other:rw-<BR />$ telnet 10.216.34.12 2222<BR />Trying...<BR />Connected to 10.216.34.12.domain.com.<BR />Escape character is '^]'.<BR />SSH-1.99-OpenSSH_3.8p1<BR />CLOSE<BR />Protocol mismatch.<BR />Connection closed by foreign host.<BR /><BR />Here's how it works on Solaris: (group is called noaccess instead of hcl. <BR /><BR />$ id<BR />uid=69(username) gid=0(root)<BR />$ groups<BR />root noaccess<BR />$ getfacl /dev/tcp<BR /><BR /># file: /dev/tcp<BR /># owner: root<BR /># group: sys<BR />user::rw-<BR />group::rw- #effective:rw-<BR />group:noaccess:--- #effective:---<BR />mask:rw-<BR />other:rw-<BR />$ getfacl /dev/udp<BR /><BR /># file: /dev/udp<BR /># owner: root<BR /># group: sys<BR />user::rw-<BR />group::rw- #effective:rw-<BR />group:noaccess:--- #effective:---<BR />mask:rw-<BR />other:rw-<BR />$ telnet 10.216.34.12<BR />&lt;--- NOTE THAT AT THIS POINT, username CAN'T EVEN READ /dev/udp SO NAME LOOKUP FAILS<BR />10.216.34.12: Unknown host<BR />$ getfacl /dev/udp<BR /><BR /># file: /dev/udp<BR /># owner: root<BR /># group: sys<BR />user::rw-<BR />group::rw- #effective:rw-<BR />mask:rw-<BR />other:rw-<BR />$ telnet staupif1 2222 &lt;--- AT THIS POINT, /dev/udp IS READABLE BUT /dev/tcp IS NOT<BR />Trying 10.216.34.12...<BR />telnet: socket: Permission denied<BR /><BR />Any ideas why we're not seeing the expected results?<BR /> Mon, 12 Dec 2005 10:41:01 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689641#M549524 Robin King_1 2005-12-12T10:41:01Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689642#M549525 I noticed your user is part of more than the one "hcl" group...it is also part of the group "users"...you may want to limit their group membership to just the "hcl" group. Mon, 12 Dec 2005 15:53:51 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689642#M549525 Christine Hartman 2005-12-12T15:53:51Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689643#M549526 oops...I missed your groups line...disregard Mon, 12 Dec 2005 15:55:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689643#M549526 Christine Hartman 2005-12-12T15:55:54Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689644#M549527 I know you can use the swacl to restrict them from ssh..I'm not sure about telnet Mon, 12 Dec 2005 15:59:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689644#M549527 Christine Hartman 2005-12-12T15:59:47Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689645#M549528 use swacl (options) Secure_Shell...see manpage for swacl for the options that are appropriate<BR />I apologize for the broken up responses...I'm having some issues with the page refreshing and not going through. Mon, 12 Dec 2005 16:02:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689645#M549528 Christine Hartman 2005-12-12T16:02:25Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689646#M549529 I've not managed to find anything in the man pages about Secure Shell options. Any chance you can point me in the direction of the doc in question on the web? Tue, 20 Dec 2005 10:10:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689646#M549529 Robin King_1 2005-12-20T10:10:45Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689647#M549530 Had a chance to look at this again. Swacl doesn't really so what I need it to do, as far as I can tell that's just limiting access to the software, not the protocols. <BR /><BR />Still no idea why it's not working. Does the filesystem need to be explicitly set to allow ACL's? I've found another posting that mentioned trying "mount -o remount,acl /" But I can't find anything to suggest 'acl' is a valid mount switch. <BR /><BR /> Thu, 05 Jan 2006 06:01:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689647#M549530 Robin King_1 2006-01-05T06:01:49Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689648#M549531 Robin,<BR /><BR />on HP-UX you could even remove these device files whithout having the desired effect. They are simply not required for calling socket(2) or bind(2). So the the approach is not really promising.<BR /><BR />Best regards...<BR />Dietmar.<BR /><BR /> Thu, 05 Jan 2006 06:51:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689648#M549531 Dietmar Konermann 2006-01-05T06:51:22Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689649#M549532 man setacl says its only for JFS file system .Your root will be hfs , so probably it may not work on /dev directories.<BR /><BR /><BR /><BR />thx,<BR />bl. Thu, 05 Jan 2006 09:17:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689649#M549532 baiju_3 2006-01-05T09:17:41Z https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689650#M549533 The root filesystem is xvfs:<BR /><BR /># bdf /<BR />Filesystem kbytes used avail %used Mounted on<BR />/dev/vg00/lvol3 212992 138744 73808 65% /<BR /># fstyp /dev/vg00/lvol3<BR />vxfs<BR /><BR />I've now tried amending the ACL for /usr/bin/telnet. This has meant I can restrict access to the executable, and it seems to work in practice. Not very pretty, but it works. Guess I can do the same with the SSH exe.<BR /> Thu, 05 Jan 2006 10:46:44 GMT https://community.hpe.com/t5/operating-system-hp-ux/setacl-not-working-as-expected/m-p/3689650#M549533 Robin King_1 2006-01-05T10:46:44Z