topic Re: Create UNIX user with restrictions in Operating System - HP-UX

Create UNIX user with restrictions

Khurram Khan_1 — Fri, 26 Apr 2002 10:01:41 GMT

HI,

Would like to know how to create a UNIX user, who I only want to use omniback and shouldn't be bale to remove, delete, copy or anything else apart from logon to the system.

Regards

Khurram

Re: Create UNIX user with restrictions

Michael Albrecht — Fri, 26 Apr 2002 10:08:19 GMT

Hi ,

create a user with restricted shell
/bin/rsh

make a link in users home dir to Omniback start script xomni

Hope it helps
Michael

Re: Create UNIX user with restrictions

Khurram Khan_1 — Fri, 26 Apr 2002 10:11:27 GMT

Hi,

Do you mind listing the commands step by step, thanks.

Regards

Khurram

Re: Create UNIX user with restrictions

Sukant Naik — Fri, 26 Apr 2002 11:23:14 GMT

Hi Khurram,

Do you want the user to just run the xomni

............
/opt/omni/bin/xomni
exit

This will just invoke the xomni whenever he logins. The moment he closes the xomni, the exit will be executed and he will be logged out of the session.

Can anybody in the forum tell me, what are the threats which I will face with this...I mean can a user go to the shell prompt in any way.

- Sukant

Regards,

Sukant

Re: Create UNIX user with restrictions

Sukant Naik — Fri, 26 Apr 2002 11:23:25 GMT

Re: Create UNIX user with restrictions

Sukant Naik — Fri, 26 Apr 2002 11:25:03 GMT

Sorry for the incomplete answer which I sent earlier.

You need to add the entry in the .profile of that user.

- Sukant

Re: Create UNIX user with restrictions

Khurram Khan_1 — Fri, 26 Apr 2002 12:02:41 GMT

Hi,

The users will log into Omniback using Reflections, which means they log into unix first and then type xomni&. So need to make sure when they log into UNIX, they should have very restricted permissions to do anything at all apart from type in the command xomni and not be able to move, copy or delete anything.

Regards

Khurram

Re: Create UNIX user with restrictions

hpuxrox — Fri, 26 Apr 2002 12:05:26 GMT

ps -ef | grep X | grep -v grep | awk '{print $2}' | xargs kill -HUP

Re: Create UNIX user with restrictions

hpuxrox — Fri, 26 Apr 2002 12:08:45 GMT

Please disreguard my last post. I does't apply to this forum thread.

Thanks,

Re: Create UNIX user with restrictions

Tony Contratto — Fri, 26 Apr 2002 12:21:08 GMT

Hi Khurram,

I'm not sure about Reflection but with Exceed you can create a session that only starts a single specific X application. You may want to look into whether or not Reflection has this type of capability.

Tony

Re: Create UNIX user with restrictions

Frank Slootweg — Fri, 26 Apr 2002 12:51:36 GMT

> The users will log into Omniback using Reflections, which means they log into unix first and then type xomni&.

*Where* do they type "xomni&"? In a (hpterm/xterm) window? If so, how do they *get* that window? If automatically (i.e. by X/CDE/VUE), then just put the "xomni" (no "&") in the startup (.profile) of that user/window and an "exit" after it. That will give them a 'busy' window with which they can do nothing, and the desired OmniBack GUI. This setup is not hacker-proof, but should be sufficient for a person which can be trusted, but might *accidentily* get hirself in trouble.

Re: Create UNIX user with restrictions

Sukant Naik — Fri, 26 Apr 2002 13:16:05 GMT

This solution of updating the .profile has been given by me to many non-IT companies here for making them work only on their application and the moment the user is through with his application he is just logged out when he closed his application.

-Sukant

Re: Create UNIX user with restrictions

MANOJ SRIVASTAVA — Fri, 26 Apr 2002 13:26:49 GMT

Hi Khurram

Create a user normally , and edit /etc/passwd file and in the last field replace the shell by rsh .In the home direcoty of the user , edit the .profile with whatever command you want to give for running omni back.

Manoj Srivastava

Re: Create UNIX user with restrictions

Khurram Khan_1 — Fri, 26 Apr 2002 13:39:44 GMT

Hi,

Adding the rsh in the password file definately works, not too sure what I need to add in the .profile. The command to access omniback is xomni or xomni&, and the path is /opt/omni/bin. So please advise as to what command to enter in the .profile, thanks.

Regards

Khurram

Re: Create UNIX user with restrictions

MANOJ SRIVASTAVA — Fri, 26 Apr 2002 14:06:58 GMT

Hi Khurram

in the .profile

add export DISPLAY=
/opt/omni/bin/xomni

also please note that you might have to give omnibak group to this user , or change the group to 3 which that of the super user.

Manoj Srivastava

Re: Create UNIX user with restrictions

Khurram Khan_1 — Fri, 26 Apr 2002 14:22:25 GMT

Hi,

When I add the following:

export DISPLAY=194.60.97.70 (the IP for the DB server / UNIX server)
/opt/omni/bin/xomni

Now I get the error message:

Error: Can't open display: 194.60.97.70

The entry in the password file is as follows:
enduser:OVw7qGPBcfpBI:103:111:,,,:/home/enduser:/usr/bin/sh (if I change the sh to rsh, then I don't get anything at all)

The users are using Reflections to open a X terminal window, I would like to restrict them so that they can't change anything at UNIX.

Regards

Khurram

Re: Create UNIX user with restrictions

Gary Yu — Fri, 26 Apr 2002 14:25:38 GMT

another thing should do if you are using the .profile method is -- trap all interrupt signals at the first line of your .profile, otherwise, a user can quickly issue a 'Ctrl-C' when login (before login gets to your command in the .profile, often at the bottom) and break into command line mode.

You can test this by putting a 'sleep 30' in your profile before the line of user's script, and try to break it when login.

cheers,
Gary

Re: Create UNIX user with restrictions

Jacob_2 — Fri, 26 Apr 2002 14:26:31 GMT

Hi,

Assuming that the omni_user logs in from reflection.

create this user with a restricted shell and in his .profile, export his Display ( you may need to read the ipaddress of the PC from whereever this user logs in).
Also allow xomni& to be executed from the .profile.
To avoid the user from branching out to the shell , restrict him with TRAP.

In addition to this all omni executables ( /opt/omni/lbin,/opt/omni/bin) & configuration files ( /etc/opt/omni/*) may need to be given permissions for this user.
Just in case he needs to change the datalist or the schedules.

An alternative will be using SCM ( service control manager.

Re: Create UNIX user with restrictions

MANOJ SRIVASTAVA — Fri, 26 Apr 2002 14:29:09 GMT

Hi Khurram

I think I didnot make it clear , the IP that had to be exported is where the user is running the xomni and not that of the server .
Like i am using the desktop which has the reflection s/w loaded , i go to the dos prompt by typing command in the run mode in window , then i run a command ipconfig and get the IP address of the desktop . Also please modify the export DISPLAY as

export DISPLAY=aa.bb.cc.dd:0.0

Manoj Srivastava

Re: Create UNIX user with restrictions

Khurram Khan_1 — Fri, 26 Apr 2002 14:35:01 GMT

Hi,

May be I am not making it very clear, I will start from the very beginning:

The end users have different computers, so there IP addressses will not be statitc and are using windows NT. They log into UNIX using Refelections (X term), which after entering there name e.g. enduser, are asked to enter there password. Once that is complete they log into UNIX, and then they type in Xomni or Xomni& to access Omniback. I have already restricted access to Omniback, but not too sure how I can restrict the access to UNIX, as I don't want users to delete, move, copy or do anything at UNIX apart from type in Xomni or go to Omniback dirrectly. Whatever the advise, please list in detail the commands to be used, thanks.

Regards

Khurram