topic Re: New User ID Restriction in Operating System - HP-UX

New User ID Restriction

take2mir — Tue, 04 Dec 2007 02:21:11 GMT

I have a task to create a new id that going to used by vendor. The ID profiles are:
1)The ID to be created is MUST be restricted sharing.
2)create for their own user account
3)unable to read/navigate/view other directories
4)unable to write to other directories
able to create their own directory

Your cooperation is highly appreciated.
Thanks in advance

Re: New User ID Restriction

Bill Hassell — Tue, 04 Dec 2007 03:52:22 GMT

I think the requirements are very incomplete. What version of HP-UX are you using? A basic HP-UX system has only two user privileges, root and everyone else. You can control access by group and user level, but the term "other directories" is unclear.

I think you are describing what is called a chroot jail which is best implemented with the restricted shell: rsh or rksh. NOTE: this is difficult to setup because the user will have no access to any directory above $HOME. That means no commands like vi, etc unless a copy is stored in the user's $HOME.

You may have to create a user menu instead. The menu will then limit all commands and access.

Re: New User ID Restriction

Kapil Jha — Tue, 04 Dec 2007 04:18:39 GMT

For me also Restricted shell is the only good option.
Just search "restricted shell" in search
option of this forum.And you will get good information which may be useful to you.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=876162
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1086048
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=137882

BR,
Kapil

Re: New User ID Restriction

take2mir — Tue, 04 Dec 2007 04:45:48 GMT

I use HP-UX 11.11. I have tried to use rsh shell but it have limitation. I can not creat/add new user(correct me if i mistake).

Re: New User ID Restriction

Kapil Jha — Tue, 04 Dec 2007 05:00:11 GMT

sorry I did not understand your point.
Not able to create user.
You just create a new user and put its shell as ksh -r (r for restricted).

And your user would be having restricted access.
"man ksh"
BR,
Kapil

Re: New User ID Restriction

Dennis Handly — Tue, 04 Dec 2007 05:06:05 GMT

>Kapil: put its shell as ksh -r (r for restricted).

That's put its shell as /usr/bin/rsh or /usr/bin/rksh.

Re: New User ID Restriction

Kapil Jha — Tue, 04 Dec 2007 05:21:09 GMT

Hi Dennis

>>>That's put its shell as /usr/bin/rsh or /usr/bin/rksh.

from man page of ksh I have
-r If the -r option is present, the shell is a restricted shell

rksh Only
rksh is used to set up login names and execution environments where capabilities are more controlled than those of the standard shell. The actions of rksh are identical to those of ksh, except that the following are forbidden:

Are these thing are different???
Why ksh -r can put shell to /usr/bin/rsh (rsh is remote shell here like rloginn right or wrong).

I just used restricted shell once with ksh -r option and it worked fine.
BR,
Kapil

Re: New User ID Restriction

Dennis Handly — Tue, 04 Dec 2007 05:40:49 GMT

>Kapil: Are these thing are different???
Why ksh -r can put shell to /usr/bin/rsh

For the passwd entry, you can only provide the path of the shell but no options. So rsh or rksh is needed.

>(rsh is remote shell here like rlogin right or wrong).

No, rsh is the restricted Posix shell. remsh(1) is the remote shell. (On HP-UX)

>I just used restricted shell once with ksh -r option and it worked fine.

Sure but you can't add -r to /etc/passwd.

Re: New User ID Restriction

Kapil Jha — Tue, 04 Dec 2007 05:55:22 GMT

Yeh I remember now....i added in .profile I suppose.
Thanks for the clarification!!!!!
BR,
Kapil

Re: New User ID Restriction

take2mir — Wed, 05 Dec 2007 01:48:53 GMT

Emm..i mean that, when i used rsh shell, i can not add new user. For example my login id now is ncps01, using rsh shell. Then i want to add new user, ncps02. When i try to execute command 'useradd -m ncps02', it can not work.

Can both of you please give me the details step that should i take to make sure the new id that i created have the profile above?

Re: New User ID Restriction

Dennis Handly — Wed, 05 Dec 2007 02:19:49 GMT

>i mean that, when i used rsh shell, i can not add new user.

I'm not sure I see the connection between you as root and the users you are adding?

>For example my login id now is ncps01, using rsh shell. Then i want to add new user, ncps02. When i try to execute command 'useradd -m ncps02', it can not work.

You must be root to add more users and your shell must be /sbin/sh.

>Can both of you please give me the details step that should i take to make sure the new id that i created have the profile above?

I don't know if rsh will do all of the above but here is how to add it:
# useradd -m ncps02 -s /usr/bin/rsh

Re: New User ID Restriction

take2mir — Wed, 05 Dec 2007 02:55:36 GMT

I have tried. After creating a new directory, the ID is unable to navigate the just created directory.

Re: New User ID Restriction

Dennis Handly — Wed, 05 Dec 2007 04:59:49 GMT

>After creating a new directory, the ID is unable to navigate the just created directory.

Unfortunately rsh won't let the user change the directory.

Re: New User ID Restriction

take2mir — Wed, 05 Dec 2007 06:13:28 GMT

Is there any other options?

Re: New User ID Restriction

Dennis Handly — Wed, 05 Dec 2007 06:32:14 GMT

I think you are limited to what Bill mentioned.
Unless you can use ACLs, getacl(1) & setacl(1).

Re: New User ID Restriction

Kapil Jha — Wed, 05 Dec 2007 06:37:12 GMT

>>>1)The ID to be created is MUST be restricted sharing.
>>>2)create for their own user account
>>>3)unable to read/navigate/view other directories
>>>4)unable to write to other directories

u r not able to change directory i thinak thats what u want ur 3rd requirement.
It ful fill ur 4th requirement also.
BR,
Kapil

Re: New User ID Restriction

take2mir — Wed, 05 Dec 2007 06:45:15 GMT

Yup but not for his own created directory..

Re: New User ID Restriction

take2mir — Wed, 12 Dec 2007 09:16:43 GMT

Thank you folks