topic Re: Block specific command for a user in Operating System - HP-UX

Block specific command for a user

Chris Campbell 77 — Sat, 13 Feb 2010 03:02:33 GMT

We have a user called bnk and do not want this user to execute zcat and cpio. Is it possible to block specific commands to a specific user/group?

Re: Block specific command for a user

Dennis Handly — Sat, 13 Feb 2010 03:40:52 GMT

Not really. Not unless you replace these commands by a wrapper to check who is using them. And somehow hide the originals away.

Re: Block specific command for a user

Steven Schweda — Sat, 13 Feb 2010 05:32:02 GMT

> Not really. Not unless [...]

man acl

[...]
For example, the following optional access control list entries can be associated with our file:
[...]
(george.%,---)
Deny any access to user george in no specific group.
[...]

Why would this be a useful thing to do? What
damage could a normal user do with these
programs, which he could not do just as
easily with some other programs?

Re: Block specific command for a user

Chris Campbell 77 — Sat, 13 Feb 2010 05:55:57 GMT

My boss instruction....
Our application uses a user ID for the environment which the app runs.
The database is backed up using zcat and compressed. He wants to ensure if the user was ever compromised they could not extract the data using zcat and cpio. I told him to use crypt on the compressed files but doesnt think its secure enough.

Re: Block specific command for a user

Steven Schweda — Sat, 13 Feb 2010 15:40:02 GMT

> He wants to ensure [...]

And you can't do that with file permissions
on the data?

And the user can't bring in his own zcat
and/or cpio programs?

> [...] doesnt think its secure enough.

What would be? GnuPG is available. But who
would be doing the encryption? Who's trying
to hide what from whom?

As usual, it might be more helpful if you
described the actual problem which you are
trying to solve, rather than asking how to
implement some sub-ideal "solution".

Re: Block specific command for a user

Chris Campbell 77 — Wed, 17 Feb 2010 20:37:03 GMT

There is no problem.
Our backups are done with zcat and cpio via the app we are using . He wanted to know if the application account be restricted from extracting the data. Just wanted to know if it was possible to block maybe using a ACL.

Re: Block specific command for a user

Patrick Wallek — Wed, 17 Feb 2010 21:06:00 GMT

Does this same application account create the backups?

Are you wanting it to be able to back up the data with cpio and zcat, but not restore the data using the same commands?

Re: Block specific command for a user

Horia Chirculescu — Thu, 18 Feb 2010 13:25:25 GMT

Hello,

>Our backups are done with zcat and cpio via the app we are using . He wanted to know if the application account be restricted from extracting the data

If some account is used for creating the archive (with zcat), why bother to hide the resulting archive from the person using the same account? I mean if he can access the original data, it is pointless to deny access to some archive that would contain the same data.

Horia.