topic Re: Limit a user to a single program in Operating System - HP-UX

Limit a user to a single program

Tristan Savalle — Fri, 10 Aug 2001 07:39:40 GMT

On a HP-UX 10.20/11 system (with CDE), how can I limit a user to the execution of a single program.

This programs should be launched each time the user logs in (with CDE login screen or with telnet/rlogin/su command). It should be the only program available to the user (no Xterm, no CDE pannel, no other program...).

When the user exits the program, the Unix session should exit too.

Note that the program is a graphical program so if cannot execute (for instance, because DISPLAY is not set, or because terminal screen is not graphical), Unix session should exit immediatly.

Thanks.

--
Tristan Savalle

Re: Limit a user to a single program

Robin Wakefield — Fri, 10 Aug 2001 07:50:49 GMT

Hi,

You could try setting their login shell to be a wrapper script that, say, performs some environment checks, runs the program, then it will exit at the end and log the user out.

Rgds, Robin

Re: Limit a user to a single program

Andreas Voss — Fri, 10 Aug 2001 08:19:03 GMT

Hi,

here an unsupported procedure:

Change in /usr/dt/bin/Xsession the lines:

dtstart_session[0]="$DT_BINPATH/dtsession"
dtstart_session[1]="$HOME/.xsession"

to

dtstart_session[1]="$DT_BINPATH/dtsession"
dtstart_session[0]="$HOME/.xsession"

(this will change the order for Xsession for looking what session has to be started)

Now you have to create a file $HOME/.xsession in the user home directory with executable rights (chmod 755 $HOME/.xsession)

Copy /usr/dt/config/Xfailsave to $HOME/.xsession.

Within $HOME/.xsession change the line

${CDEDIR}/dtterm -ls

to your needs (your X-application should be started here).

Regards

Re: Limit a user to a single program

Joseph Chakkery — Fri, 10 Aug 2001 09:05:53 GMT

Hello,

My simple way could be put exec statement in .profile of user.

Let say user has to run xyz.exe, then last line of .profile of user should be
exec xyz.exe

So when he logs in it will directly go to program and when he comes out of that program, it logs him out.

Hope this may help u.

Regards
Joe.

Re: Limit a user to a single program

Rita C Workman — Fri, 10 Aug 2001 12:55:04 GMT

I tend to use the quick & easy method that Joseph mentioned.
I simply put the exec for what program I want them to run upon login into the users .profile...and I also add the command exit on the next line - so when they exit the program they are 'forced' out.

/rcw

Re: Limit a user to a single program

Magdi KAMAL — Fri, 10 Aug 2001 13:04:04 GMT

Hi Savalle,

just put the absolute path of this program as the shell script to that user in /etc/passwd.

you would also desactivate all interrupts in order that the user couldn't work arround what permissions you are setting.

Magdi

Re: Limit a user to a single program

Andrew Maslin — Fri, 10 Aug 2001 17:55:55 GMT

We have done the previous suggestion of executing the comman in the .profile. I would suggest trapping for errors in the .profile as well to prevent users from bypassing the controls you have in place (such as by pressing ctrl-c while the .profile is executing). I would just put the following command at the beginning of the .profile:
trap "echo error; exit 1" 1 2 3 4 5 6

Andy

Re: Limit a user to a single program

Joseph C. Denman — Fri, 10 Aug 2001 18:40:30 GMT

The above is good!!! Another thing to consider is that puting exit at the end of the .profile will not exit cde if you are not sourcing it. In the $HOME/.dtprofile make sure (usually the last line) states DTSOURCEPROFILE=TRUE. This forces cde to read the .profile.

As far as su???????? This will not work. However, the user should not have another account from which he can su. If he/she does, you should do the same with that account.

Also, I would chmod 755 $HOME/.profile $HOME/.dtprofile (assuming sh/ksh) and chown root:sys $HOME/.profile $HOME/.dtprofile.

Another thing I would do is add the user to /etc/ftpd/ftpusers

Just my thoughts.

...jcd...