- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Not able to use more within user control scrip...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2003 12:18 PM
тАО05-29-2003 12:18 PM
I am working on a (Posix Shell) script that will control the users access to a particular machine where all the users will select from a menu and based on that they will only have access to their HOME directory and to a specific /workdirectory.
The script will also block some of the most dangerous commands like su, rm, rmdir, and will block the users from opening a new shell.
The only problem I have is that for all the users executing the script, some of the commands do not work correctly (more, pg, vi, and kill). The way the script works is running a few tests and when the command passes all of them it will get executed with the sh -c "$command".
I am using a new profile for the users with restricted access but other than the regular env info. they get the Oracle part. All in the same profile.
Could this be the problem I am having? Is there a way to correct this situation?
Thank you for your help. The script is attached.
Regards,
DR
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2003 12:32 PM
тАО05-29-2003 12:32 PM
SolutionIt would appear that setting up a "restricted" shell would be suitable for you.
Have a look at the 'sh_posix' man pages for more information.
Essentially you create a directory called '/usr/rbin' and copy into it the commands the user is allowed to execute. Make sure to add this directory to the user's PATH.
The biggest drawback to this mechanism is that file output redirection is prohibited.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2003 12:44 PM
тАО05-29-2003 12:44 PM
Re: Not able to use more within user control script
You may want to move the trap to the top of the script, so if there is a delay executing the commands currently ahead of it, there'll be no opportunity to break out of it.
Good luck,
mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2003 07:05 PM
тАО05-29-2003 07:05 PM
Re: Not able to use more within user control script
Thank you for the answers. The problem I am having is that I do have to limit the use of some of the commnads. For example, I can't allow any users to cd to any other directory than his/her home directory and all the directories within a file system, but the mayor problem here is the fact that the user is not able to use the more, vi command which creates a problem because all the users I have are programmers and they will need to view and/or edit the files.
Thank you again.
Regards,
DR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2003 08:30 PM
тАО05-29-2003 08:30 PM
Re: Not able to use more within user control script
i have a similar script running at my site, and the main issues i came across were:
a. use of the "trap"
b. FTP access using the same user account.
good luck
regards
Yogeeraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2003 10:28 PM
тАО05-29-2003 10:28 PM
Re: Not able to use more within user control script
what exactly are the problem you are encountering ?
May be a solution, will be to copy in a path in the new environtment vi, more, and so on and their libraries and change rights accordingly to your needs, togheter with the restricted shell.
HTH,
Massimo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-30-2003 05:16 AM
тАО05-30-2003 05:16 AM
Re: Not able to use more within user control script
I found out that re-directing the errors to /dev/null was causing the more and vi not to work correctly. The reason why I was redirecting was because every time the user press the enter key, they will get the following error:
/usr/local/bin/newsh.sh[38]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[50]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[56]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[63]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[70]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[76]: cd: A test command parameter is not valid.
/usr/local/bin/newsh.sh[90]: ..: A test command parameter is not valid.
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] -e pattern_list...
[-f pattern_file...] [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] [-e pattern_list...]
-f pattern_file... [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] pattern [file...]
/usr/local/bin/newsh.sh[96]: test: Specify a parameter with this command.
/usr/local/bin/newsh.sh[99]: test: Specify a parameter with this command.
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] -e pattern_list...
[-f pattern_file...] [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] [-e pattern_list...]
-f pattern_file... [file...]
usage: grep [-E|-F] [-c|-l|-q] [-bhinsvx] pattern [file...]
You are not authorized to cd to
What I need to do is figure out how to interpret the enter function so I can make a test statement but only when the enter key is pressed.
Thank you for all your help.
Regards,
DR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-30-2003 07:12 AM
тАО05-30-2003 07:12 AM
Re: Not able to use more within user control script
It is working now. I made the following change:
OLD LINE:
if [ $command = $NOTHING ]
NEW LINE:
if [ `echo $command | cut -d " " -f 1` = -o $command = ]
I am not re-directing errors to /dev/null.
Thank you for all your help.
Regards,
DR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-30-2003 07:16 AM
тАО05-30-2003 07:16 AM
Re: Not able to use more within user control script
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-30-2003 07:22 AM
тАО05-30-2003 07:22 AM
Re: Not able to use more within user control script
The only true way to have a restrictive environment is to do as James said and use restrictive shell.
You could also look at "keysh". This shell provides a "controlled" command line input, although it is a very complicated system to configure.
Personal note-
It seems strange that you are restricting some of the more useful commands. With proper file/directory permissions, you could provide adequate protection from inadvertant damage.
My 2 cents
-- Rod Hills