topic Re: Limiting a Path for a user with rksh in Operating System - HP-UX

Limiting a Path for a user with rksh

Victor Prasad — Thu, 24 Oct 2002 13:00:16 GMT

Hello,

I have 10 users, each with their own Unix ID going to this directory
under rksh:

+test1::0:0:test1 tester:/files/legal/output:/bin/rksh
+test2::0:0:test2 tester:/files/legal/output:/bin/rksh
+test3::0:0:test3 tester:/files/legal/output:/bin/rksh
+test4::0:0:test4 tester:/files/legal/output:/bin/rksh
etc...10

rksh prevent change of directory - but they still have access to
everything in their path.

Is there a way to put a .profile file or something that would alter
the path so they could not use everything in their path?

I tried this:

PATH=`echo "$PATH" | sed 's=:/usr/tools/bin:=:=g'`
export PATH

in a .profile file but would that not have to be shared by all users,
or 1 created for each? How would I get this .profile to execute for
each user?

Or any other suggestions?

The path:

echo $PATH
/home/test1/bin:/usr/tools/bin:/usr/bin:/opt/corp/bin:

This path is defaulted for everyone - and I am not sure where it is
assigned.

I just want to restrict users who have logged into
/files/legal/output:/bin/rksh
to NOT have access /usr/tools/bin.

Help?

Thanks,

V

Re: Limiting a Path for a user with rksh

MANOJ SRIVASTAVA — Thu, 24 Oct 2002 13:24:04 GMT

Hi V

May be this can help :

10.3.1 Restricted Shell
The restricted shell is designed to put the user into an environment where his or her ability to move around and write files is severely limited. It's usually used for "guest" accounts. You can make a user's login shell restricted by putting rksh or ksh -r in the user's /etc/passwd entry.

The specific constraints imposed by the restricted shell disallow the user from doing the following:

Changing working directories: cd is inoperative. If you try to use it, you will get the error message "ksh: cd: restricted".

Redirecting output to a file: the redirectors >, >|, <>, and >> are not allowed.

Assigning a new value to the environment variables SHELL, ENV, or PATH.

Specifying any pathnames with slashes (/) in them. The shell will treat files outside of the current directory as "not found."

These restrictions go into effect after the user's .profile and environment files are run.

This means that the restricted shell user's entire environment is set up in .profile. Since the user can't overwrite that file, this lets the system administrator configure the environment as he or she sees fit.

Two common ways of setting up such environments are to set up a directory of "safe" commands and have that directory be the only one in PATH, and to set up a command menu from which the user can't escape without exiting the shell.

you may also look at :
http://nevada.tpi.pl/books/b022/ch10_03.htm

and

http://google.yahoo.com/bin/query?p=restrict+ls+in+rksh&hc=0&hs=0

All the best .

Manoj Srivastava

Re: Limiting a Path for a user with rksh

Victor Prasad — Thu, 24 Oct 2002 15:06:59 GMT

Thank you for the info.

1) where would I find the ENV info?

2) Since there are 10 (or more users) going into this directory - I woulld have to have a separate .profile for each? Or once the login - is the .profile for that directory execusted?
Please can the users not alter their .profile or chmod it?

Thanks,

V

Re: Limiting a Path for a user with rksh

MANOJ SRIVASTAVA — Thu, 24 Oct 2002 16:08:12 GMT

Hi Victor

For the users you need to find a comman command set like ls , rm etc and copy these commands in a subdirecorty which become the path in the .profile of the users login home ( restricted etc ) now once this is excuted the user can only run the commnads set up in that directory.

Manoj Srivastava

Re: Limiting a Path for a user with rksh

Victor Prasad — Fri, 25 Oct 2002 13:42:14 GMT

Thanks for the info yet again!

The problem I having is, users are setup to go to a directory - there is no .profile in that directory. I think they get their defaulted path from /etc a file called PATH. But this PATH is used for many other users. Unfortunately - I cannot change the directory /files/legal/output either.

I was also thinking of these ideas:

1) Could I change this directory to be ftp only? If so - how?

2) Could I change the the login to have the path be altered first then send them to the directory?

i.e.

Instead of +test1::0:0:test1 tester:/files/legal/output:/bin/rksh
send them to +test1::0:0:test1 tester:/files/legal/output:/bin/SCRIPT

Where the SCRIPT changes the path and gives them rksh access?

I am really not sure how to do that - if it is possible.

Any other suggestions?

Thanks for your help and time,

V

Re: Limiting a Path for a user with rksh

harry d brown jr — Fri, 25 Oct 2002 14:04:49 GMT

Victor,

One way to restrict what commands a user has access to is to give them access to a path that contains only the commands you have given them acess to, but man that has got to be painfully a manual process. The biggest problem is that many commands rely on the existence of others. Why not just give them access to a menu that gives them access to commands.

live free or die
harry

Re: Limiting a Path for a user with rksh

MANOJ SRIVASTAVA — Fri, 25 Oct 2002 14:13:49 GMT

For only restrctive FTP u need to do a man ftpdacees and a man chroot to know more seeting up toe xcite the command in .profile etc will not work in FTP because it doesnt work the way normal login works .

Manoj Srivastava