HPE Community
Operating System - HP-UX
1751720 Members
3224 Online
108781 Solutions
New Discussion юеВ

restrict user process

 
Tommy Wang
Occasional Advisor

тАО07-25-2000 01:27 AM

тАО07-25-2000 01:27 AM

restrict user process

I would like to create an user account to run few commands which I allow to run , and the account cannot browser to other directories excepts it's home directory.
Any help should be highly appreciated.
0 Kudos
Reply
7 REPLIES 7
Andy Monks
Honored Contributor

тАО07-25-2000 01:32 AM

тАО07-25-2000 01:32 AM

Re: restrict user process

You'll want to use a restricted shell then. Either use rsh or rksh
0 Kudos
Reply
Tommy Wang
Occasional Advisor

тАО07-25-2000 01:46 AM

тАО07-25-2000 01:46 AM

Re: restrict user process

Thanks, Is there any instruction which could teach me how to set restriction on both shells?
0 Kudos
Reply
Andreas Voss
Honored Contributor

тАО07-25-2000 01:52 AM

тАО07-25-2000 01:52 AM

Re: restrict user process

Hi,

simply change the default shell in /etc/passwd.
Ie.:
user:wRsdz.Rx4zueQ:200:20::/home/user:/bin/rsh

Cheers

Andrew
0 Kudos
Reply
Andy Monks
Honored Contributor

тАО07-25-2000 01:59 AM

тАО07-25-2000 01:59 AM

Re: restrict user process

either create a new use with sam or useradd.

There is some info on rsh/rksh in the sh and ksh man pages.

using rsh you can't do :-

change directory
set the PATH environment variable
specify path or command names containing '/'
redirect output
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО07-25-2000 03:43 AM

тАО07-25-2000 03:43 AM

Re: restrict user process

Actually, the restricted shell is pretty difficult to use. The restricted shell (rsh or rksh) will use chroot to change to the user's $HOME which then becomes / for that user. There is no /usr or /opt and not even /etc. So once logged in using a restricted shell, the user has no commands available. The users cannot change directories upwards because they are already in the / directory as far as their shell is concerned.

So you have to create a $HOME/usr directory and put the selected commands into that directory and make sure $PATH is set to a meaningful list...most of the standard $PATH is inaccessible in the restricted shell.

But wait, there's more restrictions. If a command needs a configuration file in /etc to run correctly, those file(s) must also be copied to the user's $HOME, under a new directory called $HOME/etc and if the config file(s) refer to other files, these will likely have to be copied too. Then there's the problem of running a program, such as a database client. The client may need to open files that are not in the user's $HOME..

As you tell, the restricted shell is not that easy to make useful. However, their is an easier alternative: change the user's shell to a program that you write which offers the necessary commands in a menu. You can even use a shell script but you must be careful to trap all signals to prevent escaping from the shell program with CTRL-C or other interrupts. Something like this:

trap "exit" 0 1 2 3 15

And as with all tasks in Unix, if there aren't 3 or more ways to do the same thing, you haven't tried hard enough:

Choice 3: In /etc/profile, you can test for the user(s) login names, then exec a program rather than completing the /etc/profile script. Be sure to exec rather than run the command so the user will not return to /etc/profile when the command is done. For example:

if [ $(whoami) = blh ]
then
echo "leaving /etc/profile"
exec sleep 5
fi

In the above example, sleep 5 is the program to run, and any attempt to break out will fail. When the program is done (sleep for 5 seconds), the session terminates. In this case, no changes are needed for the user's shell, just edit /etc/profile.


Bill Hassell, sysadmin
0 Kudos
Reply
RikTytgat
Honored Contributor

тАО07-25-2000 05:13 AM

тАО07-25-2000 05:13 AM

Re: restrict user process

Bill,

I'm afraid you're wrong!

In restricted shell, you can execute all commands in your PATH. So, if /usr/bin is in your path, the restricted user can run any of the commands in /usr/bin.

Also, no chroot is done. The /etc is available (one can even list is). When doing an ls -l /etc, all usernames and groupnames are listed, so there IS access to /etc/passwd.

The limitations of a restricted shell are exactly what Andy says in his reply.

Bye,
Rik
0 Kudos
Reply
Alan Riggs
Honored Contributor

тАО07-25-2000 07:39 AM

тАО07-25-2000 07:39 AM

Re: restrict user process

Bill may be incorrect in the details, but his main point is worth noting. Because rsh/rksh prevent any path names from being specified absolutely, many client applications will not be able to start properly. This can affet SAP programs, database clients, etc. Sometimes, it may be possible to edit the startup scripts to allow rsh functionality, but it is often neither guaranteed nor trivial to do so.

However, if your users dp not need access to those kind of apps then rsh/rksh is a fine solution. It does provide the restrictions Andy specified. One note: make sure to create the /usr/rbin directory and place only the commands you want the user to have access to in that directory. Then modify the user's path appropriately. If you give them access to /usr/bin they have vi, which will allow them to read in and execute files using absolute paths. The red editor can be provided for users that need a text editor.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.