- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: How to restrict user from issuing an rm comman...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2013 04:03 AM
тАО10-17-2013 04:03 AM
How to restrict user from issuing an rm command in hpux?
Hi guys,
I would like to know whether i could restrict an user from issuing an rm command in our production servers. There is a common user used to login to our PROD servers, but we would like to restrict this user from issuing a rm command.
Please advice me how best i can achieve this.
Regards,
Chui
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2013 01:15 AM - edited тАО10-18-2013 03:51 PM
тАО10-18-2013 01:15 AM - edited тАО10-18-2013 03:51 PM
Re: How to restrict user from issuing an rm command in HP-UX?
What commands do you want to ALLOW? Would this allow using the restricted shell?
Would a chroot jail work for those users?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2013 03:21 AM
тАО10-18-2013 03:21 AM
Re: How to restrict user from issuing an rm command in HP-UX?
# rm command is not allow to used in shell prompt . No
Regards,
Chui
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2013 04:18 AM
тАО10-18-2013 04:18 AM
Re: How to restrict user from issuing an rm command in HP-UX?
Please tell more about the scenario.
"rm" is not the only method to delete a file.
Remember, the user can only delete files if he is the owner (of if he has write access).
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2013 03:50 PM
тАО10-18-2013 03:50 PM
Re: How to restrict user from issuing an rm command in HP-UX?
>"rm" is not the only method to delete a file.
Like deleting the contents. :-)
>the user can only delete files if he is the owner (of if he has write access).
Owner on the file is only important if sticky bit is set for a directory (like /tmp and /var/tmp).
Otherwise write access to the directory is enough.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2013 05:55 PM - edited тАО10-18-2013 05:57 PM
тАО10-18-2013 05:55 PM - edited тАО10-18-2013 05:57 PM
Re: How to restrict user from issuing an rm command in HP-UX?
>> Remember, the user can only delete files if he is the owner (of if he has write access).
Actually, that isn't true at all. The file's protection (owner and permission) only cover the contents of the file.
The existence of a file is controlled by the directory, not the file.
A file that is owned by root and zero permissions but resides in a directory that allows write access for a user, the file can be renamed or removed.
As mentioned, the rm command is just one of many ways to destroy a file. If a user is improperly trained or careless, then the user should not be allowed to run a normal shell. The restricted shell is a possibility, but the ideal solution is a simple menu script that only allows certain actions. And of course this user can never be allowed to login with root privileges.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2013 03:42 AM
тАО10-22-2013 03:42 AM
Re: How to restrict user from issuing an rm command in HP-UX?
The first step is to edit the file at .profile and then i add a line alias rm='/usr/bin/rm -i' as shown below.
# vi .profile
# @(#) $Revision: 74.2 $[H
# Default (example of) super-user's .profile file
# Do not put "." in PATH; it is a potential security breach.
# Do not put "/usr/local/bin" in PATH; it is a potential security breach.
# Example assumes /home/root exists.
set +u
PATH=/usr/sbin:$PATH:/sbin:/home/root:/usr/cd0
alias rm='/usr/bin/rm -i'
# Be sure that VUE does not invoke tty commands
if [ ! "$VUE" ]; then
# Set up the terminal:
if [ "$TERM" = "" ]
then
eval ` tset -s -Q -m ':?hp' `
else
Second step is to change a directory to cd /usr/bin and then issue a command chmod 400 rm as shown below.
-r-xr-xr-x 1 bin bin 81920 Feb 9 1999 rlog
-r-sr-xr-x 1 root bin 45056 Aug 3 1998 rlogin
-r-------- 2 bin bin 28672 Nov 7 1997 rm
-r-sr-sr-x 2 root mail 45056 Nov 7 1997 rmail
Last step is to run the command as shown below.
# rm chui
rm: chui non-existent
Any simple menu script that only certain user not allow to used the rm command?
Regards,
Chui
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2013 06:07 AM
тАО10-22-2013 06:07 AM
Re: How to restrict user from issuing an rm command in HP-UX?
What if I as a user run /sbin/rm ?
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-22-2013 06:36 AM - edited тАО10-22-2013 06:55 AM
тАО10-22-2013 06:36 AM - edited тАО10-22-2013 06:55 AM
Re: How to restrict user from issuing an rm command in HP-UX?
>> Second step is to change a directory to cd /usr/bin and then issue a command chmod 400 rm as shown below.
>> -r-------- 2 bin bin 28672 Nov 7 1997 rm
You have just destroyed the rm command for every user including root. True, if root is logged in, then the root user may change the permission back again. However, there are dozens of programs and scripts that use the rm command and they will start failing once you do this.
Removing the rm command is the wrong way to fix the real issue. It will make your system very unreliable and still the untrained (untrustworthy?) user is free to use other commands to destroy files and directories. This user must not be allowed to logon to the system at all, or given a simple menu to perform their tasks.
Attached is a simple menu script. Replace the user's shell in /etc/passwd with this script. To add additional features, you'll need some scripting skills.
Bill Hassell, sysadmin