Re: How to restrict user from issuing an rm command in HP-UX?

chui_88 · ‎10-17-2013

Hi guys,

I would like to know whether i could restrict an user from issuing an rm command in our production servers. There is a common user used to login to our PROD servers, but we would like to restrict this user from issuing a rm command.

Please advice me how best i can achieve this.

Regards,

Chui

Dennis Handly · ‎10-18-2013

What commands do you want to ALLOW? Would this allow using the restricted shell?

Would a chroot jail work for those users?

chui_88 · ‎10-18-2013

Hi Dennis,

# rm command is not allow to used in shell prompt . No
Regards,
Chui

Torsten. · ‎10-18-2013

Please tell more about the scenario.

"rm" is not the only method to delete a file.

Remember, the user can only delete files if he is the owner (of if he has write access).

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Dennis Handly · ‎10-18-2013

>"rm" is not the only method to delete a file.

Like deleting the contents. :-)

>the user can only delete files if he is the owner (of if he has write access).

Owner on the file is only important if sticky bit is set for a directory (like /tmp and /var/tmp).

Otherwise write access to the directory is enough.

Bill Hassell · ‎10-18-2013

>> Remember, the user can only delete files if he is the owner (of if he has write access).

Actually, that isn't true at all. The file's protection (owner and permission) only cover the contents of the file.

The existence of a file is controlled by the directory, not the file.

A file that is owned by root and zero permissions but resides in a directory that allows write access for a user, the file can be renamed or removed.

As mentioned, the rm command is just one of many ways to destroy a file. If a user is improperly trained or careless, then the user should not be allowed to run a normal shell. The restricted shell is a possibility, but the ideal solution is a simple menu script that only allows certain actions. And of course this user can never be allowed to login with root privileges.

Bill Hassell, sysadmin

chui_88 · ‎10-22-2013

Hi Bill,

The first step is to edit the file at .profile and then i add a line alias rm='/usr/bin/rm -i' as shown below.

# vi .profile
# @(#) $Revision: 74.2 $[H

# Default (example of) super-user's .profile file

# Do not put "." in PATH; it is a potential security breach.
# Do not put "/usr/local/bin" in PATH; it is a potential security breach.
# Example assumes /home/root exists.
set +u

PATH=/usr/sbin:$PATH:/sbin:/home/root:/usr/cd0
alias rm='/usr/bin/rm -i'

# Be sure that VUE does not invoke tty commands

if [ ! "$VUE" ]; then

# Set up the terminal:
if [ "$TERM" = "" ]
then
eval ` tset -s -Q -m ':?hp' `
else

Second step is to change a directory to cd /usr/bin and then issue a command chmod 400 rm as shown below.

-r-xr-xr-x 1 bin bin 81920 Feb 9 1999 rlog
-r-sr-xr-x 1 root bin 45056 Aug 3 1998 rlogin
-r-------- 2 bin bin 28672 Nov 7 1997 rm
-r-sr-sr-x 2 root mail 45056 Nov 7 1997 rmail

Last step is to run the command as shown below.

# rm chui
rm: chui non-existent

Any simple menu script that only certain user not allow to used the rm command?

Regards,
Chui

Torsten. · ‎10-22-2013

What if I as a user run /sbin/rm ?

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Bill Hassell · ‎10-22-2013

>> Second step is to change a directory to cd /usr/bin and then issue a command chmod 400 rm as shown below.
>> -r-------- 2 bin bin 28672 Nov 7 1997 rm

You have just destroyed the rm command for every user including root. True, if root is logged in, then the root user may change the permission back again. However, there are dozens of programs and scripts that use the rm command and they will start failing once you do this.

Removing the rm command is the wrong way to fix the real issue. It will make your system very unreliable and still the untrained (untrustworthy?) user is free to use other commands to destroy files and directories. This user must not be allowed to logon to the system at all, or given a simple menu to perform their tasks.

Attached is a simple menu script. Replace the user's shell in /etc/passwd with this script. To add additional features, you'll need some scripting skills.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: How to restrict user from issuing an rm command in HP-UX?

How to restrict user from issuing an rm command in hpux?