- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: How can I restrict the use of the shell from v...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2005 04:29 AM
тАО09-08-2005 04:29 AM
We have a security issue. We have allowed certain users to execute /usr/bin/vi through sudo, therefore they have the right to edit/modify any files on the system.
For security reasons we have to prevent the possibility to start a shell within vi. Is there anyway to do that?
Or
How can I substitute /usr/bin/vi for certain users with /usr/bin/rvi (restricted vi). This without the user noticing it, and allowing the user to still use the word "vi" to execute rvi.
cat /usr/bin/rvi:
#/bin/sh
export SHELL=
OLDSHELL=${SHELL}
/bin/vi $1
SHELL=${OLDSHELL}
exit 0
#.end
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2005 04:50 AM
тАО09-08-2005 04:50 AM
Solutionhttp://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=951675
This will help!
T.
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2005 05:12 AM
тАО09-08-2005 05:12 AM
Re: How can I restrict the use of the shell from vi
Though you have given vi permission through sudo , again its need unix permission to open any file , even if it is through vi.
If the user is not having read permission , from vi window he can not read the file , it will give "Permission denied" error.
So it depends on unix permissions too.
Cheers,
Raj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2005 08:45 AM
тАО09-08-2005 08:45 AM
Re: How can I restrict the use of the shell from vi
then examine the search paths of the users and find all references to vi executable and rename this to something obscure like MySecretFile, or anything your heart desires, preferably in a directory in nobody's direct search path, like /var/adm
then put your script above in the place of original vi with execute only permissions for everyone but not read, i.e. permissions should be 111. Although I must admit there might be some fallouts due to this permission mode.
The other way to implement this is:
in /etc/profile, where all users can and must read and can not modify, at the login time:
export EXINIT='set shell=/usr/bin/false'
this will prevent them from running a shell command out of vi.
If you are only concerned about root user doing this as you mentioned vi thru sudo, you can put the same statement into roots .profile for the same effect.
or in root's home directory, you can create a file called .exrc or edit one if it exists and put this line in it:
shell=/usr/bin/false
hope one of these help.
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2005 09:26 AM
тАО09-08-2005 09:26 AM
Re: How can I restrict the use of the shell from vi
http://hpux.cs.utah.edu/hppd/hpux/Editors/nvi-1.79/
You call "nvi -s" and it will not allow access to external programs while editting.
HTH
-- Rod Hills
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2005 06:29 PM
тАО09-08-2005 06:29 PM
Re: How can I restrict the use of the shell from vi
first: the oldshell/shell-thing is not useful. when rvi exits, shell is set to the value, it had before. in fact, shell is only changed in the context of rvi, but *NOT* in the context of the calling programm (sudo in this case).
second: what kind of security is this? if a user can modify *ANY* file, the shell is the last thing you have to worry about. imagine, that someone edits /etc/passwd,/etc/shadow,/etc/profile,.... this will not grant him root-privileges at once, but surely in the second step....
third: think about a script, that does the following:
1. let the user choose the file to edit from a list, that your script controls.
2. copy the file to /tmp or the users HOME, using sudo
3. change the owner of the file to the calling user, using sudo
4. let the user edit the file with his own permissions, not using sudo/root!
5. when the user exits vi, copy the file back to it's original location using sudo and root-permission
6. don't forget to do a backup of the file between steps 4 and 5
7. for security reasons, don't let the user edit scripts, that will be executed in root-context afterwards. For example editing roots crontab let the user execute a script in root-context, which deletes all your files. changing /etc/profile gives the user a chance to delete all your file, if root logs in...etc....
last: think about using acl's
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2005 12:49 AM
тАО09-09-2005 12:49 AM
Re: How can I restrict the use of the shell from vi
So far I have looked at many different suggestions from u all, and thanks a lot for them.
We have decided to prevent the use of /usr/bin/vi as well /usr/bin/more which as the same security risk when executed with sudo.
ie: while in more do bang sh (!sh) this will give you a prompt as well.
Our new approuch will be to grant modification to specific files or group of files at a time.
ie:
Cmnd_Alias VI = /usr/bin/vi /oracle/bla/bla.conf
Any other suggestions would be appreciated.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2005 01:56 AM
тАО09-09-2005 01:56 AM