topic Restrict getting to Shell in Operating System - HP-UX

Restrict getting to Shell

KPS — Fri, 22 Feb 2008 16:02:47 GMT

Okay here's one I haven't seen before.

I'm dealing with an Application on our 11.23 (IA-64) system, that when a developer/user gets to a prompt within the Application to do things with code and such, all they have to do is type in a "!" and it exits them out to a shell. We want to prevent this if at all possible. They are a non-privliged user when they get out to a shell on the OS, but just the same, we want to restrict this if we can.

Is there anyway to prevent them from doing this that anyone could think of? We have tried a limiting this in sudo with the option of !SHELL, but it is not working.

Thanks in advance for any ideas anyone can provide!

KPS

Re: Restrict getting to Shell

James R. Ferguson — Fri, 22 Feb 2008 16:15:57 GMT

Hi:

Define the application (code file) as the program-to-use-as-the-shell (i.e. the last field) in '/etc/passwd'.

Regards!

...JRF...

Re: Restrict getting to Shell

KPS — Fri, 22 Feb 2008 16:36:25 GMT

We just tried this and that's not working for us.

The developer/user authenticates and gets put right into a wrapper program that we have that allows them to select an instance of the App.

With making that change to the /etc/passwd file login doesn't even give them our wrapper script anymore.

/KPS

Re: Restrict getting to Shell

KPS — Fri, 22 Feb 2008 16:40:03 GMT

We just tried this and that's not working for us.

The developer/user authenticates and gets put right into a wrapper program that we have that allows them to select an instance of the App.

With making that change to /etc/passwd it doesn't give them our wrapper script anymore to choose an instance of their preference within the Application.

/KPS

Re: Restrict getting to Shell

Michael Mike Reaser — Fri, 22 Feb 2008 18:33:44 GMT

If the application is allowing access to a shell simply by typing a "!" (similar to what can be done in, say, vi via ":!sh"), then the only answer is to work with the application developers to disable this functionality.

If the *APPLICATION* is allowing access to a shell, then the *APPLICATION* needs to be changed to not do so.

Re: Restrict getting to Shell

TTr — Fri, 22 Feb 2008 18:53:32 GMT

Try the following.

Create a shell wrapper that these application users would have as their shell in /etc/passwd. Lets say it is called app-sh. In it you put the following two lines

export SHELL=/usr/bin/false

test it and tweak as needed. You can also combine it with sudo if necessary. It works with vi, if you set the SHELL variable to /usr/bin/false and then run vi, you can not escape to the shell.

Re: Restrict getting to Shell

TTr — Fri, 22 Feb 2008 22:47:38 GMT

Let us know if it works. If your application uses the SHELL variable to determine which shell to use, it will work. Otherwise you have to find out if it is possible within the app to point it to /usr/bin/false.

Re: Restrict getting to Shell

KPS — Mon, 25 Feb 2008 15:50:20 GMT

We tried setting the shell to /home//<scriptname> again and that seems to be working for us to restrict Shell Access.. The user is not able to get out to a Shell any longer.

Many thanks to all of you for your suggestions.

/KPS