HPE Community
Operating System - HP-UX
1752347 Members
6109 Online
108787 Solutions
New Discussion юеВ

Re: Not able to use more within user control script

 
SOLVED
Go to solution
Dario_1
Trusted Contributor

тАО05-29-2003 12:18 PM

тАО05-29-2003 12:18 PM

Not able to use more within user control script

Hi Everyone!

I am working on a (Posix Shell) script that will control the users access to a particular machine where all the users will select from a menu and based on that they will only have access to their HOME directory and to a specific /workdirectory.

The script will also block some of the most dangerous commands like su, rm, rmdir, and will block the users from opening a new shell.

The only problem I have is that for all the users executing the script, some of the commands do not work correctly (more, pg, vi, and kill). The way the script works is running a few tests and when the command passes all of them it will get executed with the sh -c "$command".

I am using a new profile for the users with restricted access but other than the regular env info. they get the Oracle part. All in the same profile.

Could this be the problem I am having? Is there a way to correct this situation?

Thank you for your help. The script is attached.

Regards,

DR
0 Kudos
Reply
10 REPLIES 10
James R. Ferguson
Acclaimed Contributor

тАО05-29-2003 12:32 PM

тАО05-29-2003 12:32 PM

Solution

Re: Not able to use more within user control script

Hi Dario:

It would appear that setting up a "restricted" shell would be suitable for you.

Have a look at the 'sh_posix' man pages for more information.

Essentially you create a directory called '/usr/rbin' and copy into it the commands the user is allowed to execute. Make sure to add this directory to the user's PATH.

The biggest drawback to this mechanism is that file output redirection is prohibited.

Regards!

...JRF...

Reply
Mark Greene_1
Honored Contributor

тАО05-29-2003 12:44 PM

тАО05-29-2003 12:44 PM

Re: Not able to use more within user control script

I just put the script on one of our L1000s running 11.0 and it worked file. I tested it at the command line after I was already logged in using ksh -x so I could see what was going on. No errors, and nothing unexpected. If I tried to pg a file that wasn't there, I got the standard "No such file or directory" message.

You may want to move the trap to the top of the script, so if there is a delay executing the commands currently ahead of it, there'll be no opportunity to break out of it.

Good luck,
mark
the future will be a lot like now, only later
Reply
Dario_1
Trusted Contributor

тАО05-29-2003 07:05 PM

тАО05-29-2003 07:05 PM

Re: Not able to use more within user control script

James / Mark:

Thank you for the answers. The problem I am having is that I do have to limit the use of some of the commnads. For example, I can't allow any users to cd to any other directory than his/her home directory and all the directories within a file system, but the mayor problem here is the fact that the user is not able to use the more, vi command which creates a problem because all the users I have are programmers and they will need to view and/or edit the files.

Thank you again.

Regards,

DR
0 Kudos
Reply
Yogeeraj_1
Honored Contributor

тАО05-29-2003 08:30 PM

тАО05-29-2003 08:30 PM

Re: Not able to use more within user control script

hi,

i have a similar script running at my site, and the main issues i came across were:

a. use of the "trap"
b. FTP access using the same user account.

good luck

regards
Yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

тАО05-29-2003 10:28 PM

тАО05-29-2003 10:28 PM

Re: Not able to use more within user control script

Hi Dario,
what exactly are the problem you are encountering ?


May be a solution, will be to copy in a path in the new environtment vi, more, and so on and their libraries and change rights accordingly to your needs, togheter with the restricted shell.

HTH,
Massimo




0 Kudos
Reply
Dario_1
Trusted Contributor

тАО05-30-2003 05:16 AM

тАО05-30-2003 05:16 AM

Re: Not able to use more within user control script

Hi!!!

I found out that re-directing the errors to /dev/null was causing the more and vi not to work correctly. The reason why I was redirecting was because every time the user press the enter key, they will get the following error:

/usr/local/bin/newsh.sh[38]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[50]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[56]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[63]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[70]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[76]: cd: A test command parameter is not valid.
/usr/local/bin/newsh.sh[90]: ..: A test command parameter is not valid.
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] -e pattern_list...
[-f pattern_file...] [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] [-e pattern_list...]
-f pattern_file... [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] pattern [file...]
/usr/local/bin/newsh.sh[96]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[99]: test: Specify a parameter with this command.
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] -e pattern_list...
[-f pattern_file...] [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] [-e pattern_list...]
-f pattern_file... [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] pattern [file...]
You are not authorized to cd to

What I need to do is figure out how to interpret the enter function so I can make a test statement but only when the enter key is pressed.

Thank you for all your help.

Regards,

DR

0 Kudos
Reply
Dario_1
Trusted Contributor

тАО05-30-2003 07:12 AM

тАО05-30-2003 07:12 AM

Re: Not able to use more within user control script

Guys:

It is working now. I made the following change:
OLD LINE:

if [ $command = $NOTHING ]

NEW LINE:

if [ `echo $command | cut -d " " -f 1` = -o $command = ]

I am not re-directing errors to /dev/null.

Thank you for all your help.

Regards,

DR
0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО05-30-2003 07:16 AM

тАО05-30-2003 07:16 AM

Re: Not able to use more within user control script

Give yourself a magic bunny, Dario - you're the one who solved it!! Good job!



Pete

Pete
0 Kudos
Reply
Rodney Hills
Honored Contributor

тАО05-30-2003 07:22 AM

тАО05-30-2003 07:22 AM

Re: Not able to use more within user control script

Their are tricks, within the shell, to escape a control script like you are providing.

The only true way to have a restrictive environment is to do as James said and use restrictive shell.

You could also look at "keysh". This shell provides a "controlled" command line input, although it is a very complicated system to configure.

Personal note-
It seems strange that you are restricting some of the more useful commands. With proper file/directory permissions, you could provide adequate protection from inadvertant damage.

My 2 cents

-- Rod Hills
There be dragons...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.