HPE Community
Operating System - HP-UX
1752291 Members
4806 Online
108786 Solutions
New Discussion юеВ

Re: Restrict getting to Shell

 
KPS
Super Advisor

тАО02-22-2008 08:02 AM

тАО02-22-2008 08:02 AM

Restrict getting to Shell

Okay here's one I haven't seen before.

I'm dealing with an Application on our 11.23 (IA-64) system, that when a developer/user gets to a prompt within the Application to do things with code and such, all they have to do is type in a "!" and it exits them out to a shell. We want to prevent this if at all possible. They are a non-privliged user when they get out to a shell on the OS, but just the same, we want to restrict this if we can.

Is there anyway to prevent them from doing this that anyone could think of? We have tried a limiting this in sudo with the option of !SHELL, but it is not working.

Thanks in advance for any ideas anyone can provide!

KPS
0 Kudos
7 REPLIES 7
James R. Ferguson
Acclaimed Contributor

тАО02-22-2008 08:15 AM

тАО02-22-2008 08:15 AM

Re: Restrict getting to Shell

Hi:

Define the application (code file) as the program-to-use-as-the-shell (i.e. the last field) in '/etc/passwd'.

Regards!

...JRF...
0 Kudos
KPS
Super Advisor

тАО02-22-2008 08:36 AM

тАО02-22-2008 08:36 AM

Re: Restrict getting to Shell

We just tried this and that's not working for us.

The developer/user authenticates and gets put right into a wrapper program that we have that allows them to select an instance of the App.

With making that change to the /etc/passwd file login doesn't even give them our wrapper script anymore.

/KPS
0 Kudos
KPS
Super Advisor

тАО02-22-2008 08:40 AM

тАО02-22-2008 08:40 AM

Re: Restrict getting to Shell

We just tried this and that's not working for us.

The developer/user authenticates and gets put right into a wrapper program that we have that allows them to select an instance of the App.

With making that change to /etc/passwd it doesn't give them our wrapper script anymore to choose an instance of their preference within the Application.


/KPS
0 Kudos
Michael Mike Reaser
Valued Contributor

тАО02-22-2008 10:33 AM

тАО02-22-2008 10:33 AM

Re: Restrict getting to Shell

If the application is allowing access to a shell simply by typing a "!" (similar to what can be done in, say, vi via ":!sh"), then the only answer is to work with the application developers to disable this functionality.

If the *APPLICATION* is allowing access to a shell, then the *APPLICATION* needs to be changed to not do so.
There's no place like 127.0.0.1

HP-Server-Literate since 1979
0 Kudos
TTr
Honored Contributor

тАО02-22-2008 10:53 AM

тАО02-22-2008 10:53 AM

Re: Restrict getting to Shell

Try the following.

Create a shell wrapper that these application users would have as their shell in /etc/passwd. Lets say it is called app-sh. In it you put the following two lines

export SHELL=/usr/bin/false


test it and tweak as needed. You can also combine it with sudo if necessary. It works with vi, if you set the SHELL variable to /usr/bin/false and then run vi, you can not escape to the shell.
0 Kudos
TTr
Honored Contributor

тАО02-22-2008 02:47 PM

тАО02-22-2008 02:47 PM

Re: Restrict getting to Shell

Let us know if it works. If your application uses the SHELL variable to determine which shell to use, it will work. Otherwise you have to find out if it is possible within the app to point it to /usr/bin/false.
0 Kudos
KPS
Super Advisor

тАО02-25-2008 07:50 AM

тАО02-25-2008 07:50 AM

Re: Restrict getting to Shell

We tried setting the shell to /home//<scriptname> again and that seems to be working for us to restrict Shell Access.. The user is not able to get out to a Shell any longer.

Many thanks to all of you for your suggestions.

/KPS
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.