https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531879#M758657 Hi,<BR /><BR />We have a number of users to log in to our HP-UX 11.00 systems to analyze log files. They only need to be able to read (not edit) the files in one directory. Can this be forced?<BR />I was thinking of setting there home directory to the logdir, and then somehow disabling the cd command.<BR />Does anyone know how to do this or maybe have better ideas on how to accomplish.<BR /><BR />Many thanks,<BR />Kevin Wed, 23 May 2001 12:23:34 GMT Kevin Moore_2 2001-05-23T12:23:34Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531879#M758657 Hi,<BR /><BR />We have a number of users to log in to our HP-UX 11.00 systems to analyze log files. They only need to be able to read (not edit) the files in one directory. Can this be forced?<BR />I was thinking of setting there home directory to the logdir, and then somehow disabling the cd command.<BR />Does anyone know how to do this or maybe have better ideas on how to accomplish.<BR /><BR />Many thanks,<BR />Kevin Wed, 23 May 2001 12:23:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531879#M758657 Kevin Moore_2 2001-05-23T12:23:34Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531880#M758658 <BR />use the restricted shell (rsh), this disables the cd command completely. See man page on sh-posix for section on rsh<BR /> Wed, 23 May 2001 12:26:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531880#M758658 Stefan Farrelly 2001-05-23T12:26:52Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531881#M758659 yep, rsh is nice, but if the user is able to start another shell, then he's back free to go wherever he wants.<BR />regards,<BR />Thierry. Wed, 23 May 2001 12:37:35 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531881#M758659 Thierry Poels_1 2001-05-23T12:37:35Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531882#M758660 Thanks Stefan,<BR /><BR />rsh is a good start, but the users have a fair idea of whats going around. They can still view files using more /whatever/file.xxx<BR />It would be an impossible job to try and change permissions on all the files.<BR />What I am looking to do exactly, is let them view files in one directory, and nowhere else. I don't even want them to be able to ls<BR />I know it's probably a huge task, just looking for a place to start.<BR />I was originally thinking of using FMLI, but my HP TAM says it is not available on HP-UX<BR /><BR />Kevin Wed, 23 May 2001 12:41:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531882#M758660 Kevin Moore_2 2001-05-23T12:41:52Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531883#M758661 <BR />Instead of using rsh you can accomplish what you want simply with permissions. With the directory and files set to read only there is no way someone will be able to modify them. Wed, 23 May 2001 12:44:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531883#M758661 Stefan Farrelly 2001-05-23T12:44:54Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531884#M758662 None of the above solutions are perfect.<BR /><BR />The only real way of doing this is to force the user into a restricted chrooted environment.<BR /><BR />This can be done coding a login shell which chroot's the user to the area.<BR /><BR />Or, the easiest way is to do it via FTP and ftpaccess - this means the users will only be able to FTP in, but you can restrict them easily.<BR /><BR />FOr more details on this check the ftpaccess man page Wed, 23 May 2001 16:11:27 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531884#M758662 David Lodge 2001-05-23T16:11:27Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531885#M758663 Could you achieve your goal with their profile set to root to the log directory and then the shell they receive be the rsh? something like a passwd entry of <BR /><BR />usera:x:uid:gid:comment:/logdir:/usr/bin/rsh<BR /><BR />presupposes you are not using NIS (or NIS+) if there are multiple UNIX boxes in the domain.... Thu, 24 May 2001 00:03:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531885#M758663 Mark Fenton 2001-05-24T00:03:29Z https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531886#M758664 Thanks a million David,<BR /><BR />Your suggestion on chroot definetly looks like the right way to go. Don't suppose you know where there is good documentation on this, or an example of what I am try to do, as I haven't been able to find any.<BR /><BR />Thanks again for the great idea<BR />Kevin Thu, 24 May 2001 09:40:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricing-users-to-certain-directories/m-p/2531886#M758664 Kevin Moore_2 2001-05-24T09:40:36Z