topic Re: user administration in Operating System - HP-UX

user administration

Roberto Gallis — Tue, 06 Feb 2001 08:46:23 GMT

Hi all,
I have to define users that can only work in their home directory. They cannot change directory (e.g. giving "cd /" or "cd ..")
What's the best way to do that? (using a special shell?)

Thank's all

Roberto

Re: user administration

Sandor Horvath_2 — Tue, 06 Feb 2001 09:11:06 GMT

Hi !

Try chroot command, but first see man chroot !

You need copy some files under new /

regars, Saa

Re: user administration

Alex Glennie — Tue, 06 Feb 2001 09:36:56 GMT

How can I restrict a user to limited functions on the
system?

Here are two possibilites:

1. If the user's shell is rksh, he is restricted to executing only
from the specified PATH, and is not allowed to change PATH. You
can create a subdirectory for PATH containing only the allowed
programs. Also, his working directory is limited to his home
directory, and he is not allowed to change directory with cd.

See man 1M rksh.

2. You can write a custom script or program and run it from
profile., limiting the user to whatever you like.

Re: user administration

Gerard Leclercq — Wed, 07 Feb 2001 08:48:52 GMT

Hello,

Just a note on rksh.
It is not 100% safe if your application can change directory and run a shell.

Try this :

- Log a user with the shell rksh
- run vi
- :cd /tmp (change directory)
- :sh (open a shell)
- It is as if you have a normal shell in that directory.

Bye
Gerard

Re: user administration

Gerard Leclercq — Thu, 08 Feb 2001 09:00:47 GMT

Hello again,

I am just thinking another possibility : ACL (Access Control List)
This is an extension of unix file permissions.
ACL permits you to put any permissions for any user on any file.

You just have to disallow permission to access directory to the
users to be restricted.

The problem is not to forget to disallow permission to new data
disks you add to your system (Physically or by NFS)

Bye
Gerard

Re: user administration

melvyn burnard — Thu, 08 Feb 2001 09:07:00 GMT

Unfortunately ACL's are not supported on JFS file systems, unless you upgrade to JFS 3.3 (available via the http://www.software.hp.com site)
Other than that, only HFS file systems will support ACL.

Re: user administration

Steven Sim Kok Leong — Thu, 08 Feb 2001 10:34:18 GMT

Hi,

You can also try replacing the existing shell in /etc/passwd eg. replace /usr/bin/ksh with /usr/bin/newksh.

==
/usr/bin/newksh
#!/sbin/sh
trap "" 1 2 3
if ! echo $* |grep -e "cd .." -e "cd / " >/dev/null 2>/dev/null
then
/usr/bin/ksh $*
trap 1 2 3
==

Note that you will need to extend the script to take care of wildcard characters.

Hope this helps.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: user administration

Steven Sim Kok Leong — Thu, 08 Feb 2001 10:36:59 GMT

Hi,

/usr/bin/newksh is the script name, not part of the script. Typo.

/usr/bin/newksh:
==
#!/sbin/sh
trap "" 1 2 3
if ! echo $* |grep -e "cd .." -e "cd / " >/dev/null 2>/dev/null
then
/usr/bin/ksh $*
trap 1 2 3
==

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: user administration

Roberto Gallis — Thu, 08 Feb 2001 11:44:02 GMT

haihaihaihai!!!!

sintax error at line 4
in the script...
maybe the word "then"...

??

Re: user administration

Roberto Gallis — Thu, 08 Feb 2001 11:45:25 GMT

ok

adding fi is working...

regards
Roberto

Re: user administration

Steven Sim Kok Leong — Thu, 08 Feb 2001 13:35:57 GMT

Hi,

Forgot about the looping part. In order to emulate a shell interpreter more correctly, a loop is needed. Note however that limitations exist with the emulated shell.

Have not tested this script out. Some refinement will definitely be needed.

==
#!/sbin/sh
trap "" 1 2 3
echo -e "`pwd`> \c"
read command
while [ "$command" != "exit" ]
do
if ! echo $command |grep -e 'cd ..' -e 'cd / ' >/dev/null 2>/dev/null
then
/usr/bin/ksh $command
fi
echo -e "`pwd`> \c"
read command
done
trap 1 2 3
==

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: user administration

Roberto Gallis — Thu, 08 Feb 2001 14:07:21 GMT

Hey guys...
the new shell does not work correctly...
maybe is more useful rksh..

Regards

Roberto

Re: user administration

Steven Sim Kok Leong — Fri, 09 Feb 2001 02:21:31 GMT

Hi,

Finally got some time to test out my script and refine it properly. This is a working and tested script. Both the script and test results are inserted below.

A) The script /usr/bin/newksh itself:
===========================================
#!/sbin/sh
trap "" 1 2 3
echo "`pwd` > \c"
read command
while [ "$command" != "exit" ]
do
if echo $command|grep ';' >/dev/null 2>/dev/null
then
echo You are not allowed to run compound statements.
elif [ "`echo $command|cut -d\ -f1`" != "cd" ]
then
case $command in
sh|csh|ksh|./sh|./csh|./ksh|/sbin/sh|/bin/sh|/bin/csh|/bin/ksh|/usr/bin/sh|usr/bin/csh|/usr/bin/ksh) echo You are not allowed to run a new shell in restricted mode.;;
*) ksh -c "$command";;
esac
else
dir=`echo $command|cut -d\ -f2`
case $dir in
'..'|'/') echo You are not allowed to cd to $dir.;;
'cd') cd $HOME;;
*) cd $dir;;
esac
fi
echo "`pwd` > \c"
read command
done
trap 1 2 3
===========================================

B) Following is how you should vipw your /etc/passwd:
==========================================
# grep abc /etc/passwd
abc:*:102:20::/home/abc:/usr/bin/newksh
===========================================

C) Test results using the abc account:
===========================================
# su - abc
/home/abc > pwd
/home/abc
/home/abc > ls
a b
/home/abc >
/home/abc > cd b
/home/abc/b > ls -la
total 0
drwxr-xr-x 2 abc users 96 Feb 9 09:58 .
drwxr-xr-x 3 abc sys 96 Feb 9 09:59 ..
/home/abc/b > touch c
/home/abc/b > ls -la
total 0
drwxr-xr-x 2 abc users 96 Feb 9 10:13 .
drwxr-xr-x 3 abc sys 96 Feb 9 09:59 ..
-rw-r--r-- 1 abc users 0 Feb 9 10:13 c
/home/abc/b > rm c
/home/abc/b > ls -la
total 0
drwxr-xr-x 2 abc users 96 Feb 9 10:13 .
drwxr-xr-x 3 abc sys 96 Feb 9 09:59 ..
/home/abc/b > cd /
You are not allowed to cd to /.
/home/abc/b > cd ..
You are not allowed to cd to ...
/home/abc/b > /usr/bin/ksh
You are not allowed to run a new shell in restricted mode.
/home/abc/b > ls; /usr/bin/ksh
You are not allowed to run compound statements.
/home/abc/b > cd /usr/bin
/usr/bin > ksh
You are not allowed to run a new shell in restricted mode.
/usr/bin > ./ksh
You are not allowed to run a new shell in restricted mode.
/usr/bin > exit
logout
===========================================

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: user administration

Glen Liu — Fri, 09 Feb 2001 19:16:44 GMT

If I generate a file named "echo" in /home/abc with below content...

/usr/bin/sh

and make it excutable...

Guess what??

Re: user administration

Dan Hetzel — Sat, 10 Feb 2001 10:42:59 GMT

Hi Gang,

I don't understand the need of re-inventing the wheel as the "restricted shells" are the tools you're looking for (rsh, rksh).

You can further restrict your users ability to start applications with a pre-defined PATH that they won't be allowed to change.
Depending on what kind of applications those users should run, you could create a restricted bin directory with a copy of all those 'safe' applications.

Cheers,

Dan

Re: user administration

Steven Sim Kok Leong — Sat, 10 Feb 2001 17:47:08 GMT

Hi,

Yeap, a script with a shell interpreter embedded as one of its commands will allow the restrictions to be bypassed. Thanks for pointing this out. The emulated shell is not perfect yet. A further control can be inserted to check for the existence of the shell interpreter in any script before executing it in an emulated shell.

I agree with Dan that we should stick with rsh and rksh if we do not want the user to access any files beyond his own home directory. A "cd /" will be blocked by rsh or rksh.

However, both rksh or rsh do not disallow the execution of "cd .." from a subdirectory in a user's home directory. I was taking the original query apart whereby the user has to be blocked from running "cd ..".

To block "cd ..", I wrote this script, out of pure fun. I believe I am trying to re-invent a big part of the wheel in order to take care of the small part ie. "cd ..". But it was nevertheless interesting to try emulating a shell via a script and identify the controls necessary and the loopholes to consider. :)

Thanks. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com