- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: restrict user process
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 01:27 AM
тАО07-25-2000 01:27 AM
restrict user process
Any help should be highly appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 01:32 AM
тАО07-25-2000 01:32 AM
Re: restrict user process
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 01:46 AM
тАО07-25-2000 01:46 AM
Re: restrict user process
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 01:52 AM
тАО07-25-2000 01:52 AM
Re: restrict user process
simply change the default shell in /etc/passwd.
Ie.:
user:wRsdz.Rx4zueQ:200:20::/home/user:/bin/rsh
Cheers
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 01:59 AM
тАО07-25-2000 01:59 AM
Re: restrict user process
There is some info on rsh/rksh in the sh and ksh man pages.
using rsh you can't do :-
change directory
set the PATH environment variable
specify path or command names containing '/'
redirect output
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 03:43 AM
тАО07-25-2000 03:43 AM
Re: restrict user process
So you have to create a $HOME/usr directory and put the selected commands into that directory and make sure $PATH is set to a meaningful list...most of the standard $PATH is inaccessible in the restricted shell.
But wait, there's more restrictions. If a command needs a configuration file in /etc to run correctly, those file(s) must also be copied to the user's $HOME, under a new directory called $HOME/etc and if the config file(s) refer to other files, these will likely have to be copied too. Then there's the problem of running a program, such as a database client. The client may need to open files that are not in the user's $HOME..
As you tell, the restricted shell is not that easy to make useful. However, their is an easier alternative: change the user's shell to a program that you write which offers the necessary commands in a menu. You can even use a shell script but you must be careful to trap all signals to prevent escaping from the shell program with CTRL-C or other interrupts. Something like this:
trap "exit" 0 1 2 3 15
And as with all tasks in Unix, if there aren't 3 or more ways to do the same thing, you haven't tried hard enough:
Choice 3: In /etc/profile, you can test for the user(s) login names, then exec a program rather than completing the /etc/profile script. Be sure to exec rather than run the command so the user will not return to /etc/profile when the command is done. For example:
if [ $(whoami) = blh ]
then
echo "leaving /etc/profile"
exec sleep 5
fi
In the above example, sleep 5 is the program to run, and any attempt to break out will fail. When the program is done (sleep for 5 seconds), the session terminates. In this case, no changes are needed for the user's shell, just edit /etc/profile.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 05:13 AM
тАО07-25-2000 05:13 AM
Re: restrict user process
I'm afraid you're wrong!
In restricted shell, you can execute all commands in your PATH. So, if /usr/bin is in your path, the restricted user can run any of the commands in /usr/bin.
Also, no chroot is done. The /etc is available (one can even list is). When doing an ls -l /etc, all usernames and groupnames are listed, so there IS access to /etc/passwd.
The limitations of a restricted shell are exactly what Andy says in his reply.
Bye,
Rik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2000 07:39 AM
тАО07-25-2000 07:39 AM
Re: restrict user process
However, if your users dp not need access to those kind of apps then rsh/rksh is a fine solution. It does provide the restrictions Andy specified. One note: make sure to create the /usr/rbin directory and place only the commands you want the user to have access to in that directory. Then modify the user's path appropriately. If you give them access to /usr/bin they have vi, which will allow them to read in and execute files using absolute paths. The red editor can be provided for users that need a text editor.