HPE Community
Operating System - HP-UX
1753509 Members
4914 Online
108795 Solutions
New Discussion

How to create a user with only a few commands available to him

 
NDO
Super Advisor

‎06-07-2019 01:58 AM

‎06-07-2019 01:58 AM

How to create a user with only a few commands available to him

Hi

 

I need to create a user that basically have only read access, but I beleive that is not possible, so how provide him with limited commands, like (he should not have to do 'rm' , 'mv')

 

0 Kudos
Reply
3 REPLIES 3
Mani_Np
HPE Pro

‎06-10-2019 03:15 AM - last edited on ‎06-28-2021 09:25 PM by

‎06-10-2019 03:15 AM - last edited on ‎06-28-2021 09:25 PM by

Re: How to create a user with only a few commands available to him

Hello ,

You can't create a user account with read only access .

Note that a newly created user has write access to his home directory while the user can only read or list contents in other directories. The user will not have write or run permission on other directories unless he has been added to a group having write/run permission on those directories.

You can try to install sudo (which is not supported by HPE) and configure these users to restrict the commands they can run as well as log commands that they are allowed to run.

sudo can be downloaded from HPE InternetExpress Bundle or from HPUX Porting website.

Regards,
Manikandan
I work for HPE

Accept or Kudo

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-11-2019 07:02 PM

‎06-11-2019 07:02 PM

Re: How to create a user with only a few commands available to him

It sounds like this user has permission to damage files and directories not in the $HOME directory. If you have files and directories with 777 and 666 permissions, I would have an HP-UX expert help you set the correct permissions. A normal user can't change or remove files in system directories like /usr, /opt, /etc and so on. Run the command:

swverify \*

which will verify the system files and directories. At the end of the run, there will a note on where read the permission errors:

NOTE:    More information may be found in the agent logfile using the
         command "swjob -a log yoda-4232 @ yoda:/".

In the meantime, to immediately limit a user to specific commands, don't give the user standard shell access. Instead, write a short menu program with the tasks that are allowed. Here is an example:

#!/usr/bin/ksh


########################
#                      #
#       menu.ksh       #
#       ========       #
#                      #
#  Simple menu script  #
#    to run selected   #
#       commands       #
#                      #
########################

# Example menu program to replace a normal shell for a user.
# This script prevents acces to a shell prompt


trap "exit" 0 1 2 3 6 11 15                     # all signals will exit
set -u
export PATH=/usr/bin:/usr/sbin                  # don't use default $PATH
export MYNAME=${0##*/}                          # basename for this script
export MYHOSTNAME=$(hostname)                   # current hostname
export MYHOST=${MYHOSTNAME%%.*}                 # drops FQDN if present
export MYIPADDR=$(getip $MYHOSTNAME)            # Get IP address for this host
export MYNODE=$(uname -n)                       # NODENAME from uname -n
alias noc="awk 'NF && ! /^[[:space:]]*#/'"      # show file(s) without comments



##############
#  ShowMenu  #
##############

function ShowMenu
{

## Display the menu of choices - must match case/esac below
## Ask the question and return

 clear
 cat << EOF
 Menu script ... $MYNAME

  1. bdf
  2. uname
  3. ioscan -knf
  4. exit
EOF

 echo "\nEnter choice: \c"
 return
}

#################
#  PressReturn  #
#################

function PressReturn
{

## Simple pause and return

 echo "\n...press Enter to continue...\c"
 read
 return
}

#############################
#  M A I N   P R O G R A M  #
#############################

TIMEOUT=10

while :
do
   ShowMenu

# Wait $TIMEOUT seconds for a reply

   REPLY=$(line -t $TIMEOUT)
   case $REPLY in
      1) bdf
         PressReturn
         ;;
      2) uname -a
         PressReturn
         ;;
      3) ioscan -knf
         PressReturn
         ;;
      4) exit
         ;;
     "") echo "\n\nno response, exiting\n"
         exit
         ;;
      *) echo
         echo "Invalid choice: $REPLY"
         PressReturn
         ;;
   esac
done

exit

Then replace the reference to sh or ksh in the passwd file for that user. Now when they login, they will get the menu and no way to run any other commands.



Bill Hassell, sysadmin
0 Kudos
Reply
NDO
Super Advisor

‎06-12-2019 12:13 AM

‎06-12-2019 12:13 AM

Re: How to create a user with only a few commands available to him

Hi Bill

 

As I was trying my options, what I initially did was to create a new group, and insert that new user into that group, so this user (newly created) could not "rm" or "mv", but could "cp" the files from other directories....

But now I will try your option.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.