HPE Community
Operating System - HP-UX
1753718 Members
5953 Online
108799 Solutions
New Discussion юеВ

Re: Limiting user logon and always running script as root

 
SOLVED
Go to solution
Mike Rightmire
Frequent Advisor

тАО02-16-2001 03:02 PM

тАО02-16-2001 03:02 PM

Limiting user logon and always running script as root

Hey Gang,

This is a two fold question which, hopefully, is not too tough.

First, I want to set a user up so that ...

a) His root directory is the home/username directory. I tried adding the "home/username/./:" to the /etc/passwd file, but it does not work. I want the user limited to his directory and subdirectories ONLY.

b) If possible, I would also like to limit this user to being able to do nothing but login, run a script, see the input from the script and enter "yes" or "no" to a prompt. Nothing else.

Second ...
I would like the script he starts to run as root, although the non-root user account needs to start the script and he needs (obviously) LESS than root permissions.

Thanks again for all the help!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might almost treat each other as we should." Dale Carnegie
0 Kudos
Reply
7 REPLIES 7
Rob Smith
Respected Contributor

тАО02-16-2001 03:25 PM

тАО02-16-2001 03:25 PM

Re: Limiting user logon and always running script as root

Couple of ideas. You can force the user to run a restricted shell, /usr/bin/rsh, when the user is in a restricted shell they cannot change directories, environment variables etc. As far as the script you can change the last line in .profile to exec "script name" and that will execute the script. To run is as root you will have to SUID it which is not wise but if you have to you have to.

Hope This Helps!

Rob
Learn the rules so you can break them properly.
0 Kudos
Reply
Sam Nicholls
Trusted Contributor

тАО02-16-2001 03:52 PM

тАО02-16-2001 03:52 PM

Solution

Re: Limiting user logon and always running script as root

Another possible solution is to specify the script as the user's login shell in the /etc/passwd file. For example:

guest1::26669:66:Guest1:/home/guest1:/bin/guestscript

Then you'll have to add the script pathname to the /etc/shells file so that login will recognize it as a valid login shell...

/etc/shells:
/sbin/sh
/bin/sh
/bin/csh
/bin/ksh
/bin/guestscript

When the user logs in, the login process forc/execs the script. When the script exits, the login session is terminated.

To make the script execute with root permission, make it owned by root and turn on the setuid bit...

chown root /bin/guestscript
chmod +s /bin/guestscript

-sam
Reply
Mike Rightmire
Frequent Advisor

тАО02-20-2001 09:09 AM

тАО02-20-2001 09:09 AM

Re: Limiting user logon and always running script as root

Dear Rob and Sam,

Thanks for the great advice! You are both right on target, however (unfortunately) you both got me half way there...and your answers SEEM to be mutually exclusive.

I tried the rsh option, which worked fantastic for limiting the user, however for some reason it refuses to allow me to run the script.

The script is running a command that can only be run by root, and needs to create logfiles in other directories. I have the suid set so the command will run if the user is logged in with a regular shell and, I tried having the logfiles created in the restricted user's home directory, but the issue seems to be with the command which can only be run as root. It does not want to run if invoked from the restricted shell.

I also tried changing the passwd file so the script runs as the shell when the user logs on, but all I get when logging the user on is a "no shell" error. I tried to add the path to the /etc/shells file (which did not exist, so I created it) but that did not work either. As this is HP-UX 10.20, I wonder if there is not a "shells" file which it looks to so that would work.

So, we are about half way there. Any other suggestions to either get the above issues resolved, or a different route to the end result?

Thanks again!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might almost treat each other as we should." Dale Carnegie
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО02-20-2001 09:22 AM

тАО02-20-2001 09:22 AM

Re: Limiting user logon and always running script as root

You could use sudo to do this. Sudo allows you to set users up to run things with root privilege without actually giving out the root password. You can download sudo at http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

What you can do with this is have the users shell set the restricted shell. Then have sudo set up so that the user can run the script. At the shell prompt the user would enter 'sudo scriptname'.

Another option would be to set up the .profile so that it will do an "exec sudo scriptname" and that way when the user gets done with the script the login will be terminated.
0 Kudos
Reply
Mike Rightmire
Frequent Advisor

тАО02-20-2001 11:48 AM

тАО02-20-2001 11:48 AM

Re: Limiting user logon and always running script as root

Hmmm...OK. I got it to work, but I can't explain something. Maybe you can help.

I looked into SUDO, which looks like a fantastic solution, however I still need to play with it to see if I can get it functioning.

I DID manage to get the script to run as the logon shell, which works exactly for what I need, however...I was not able to get it to function by editing the passwd file.

When I changed the logon script in the /etc/passwd file to /home/username/scriptname, and then tried to logon, I got a 'no shell' error.

If I went into SAM, removed the account, recreated the account (exactly the same) and placed the /home/username/scriptname THROUGH SAM as the logon shell, it worked great.

Any explanations??!

Thanks though for all the help! I got it to work!
Mike
"If we treated each person we met as if they were carrying an unspeakable burden, we might almost treat each other as we should." Dale Carnegie
0 Kudos
Reply
Sam Nicholls
Trusted Contributor

тАО02-20-2001 03:20 PM

тАО02-20-2001 03:20 PM

Re: Limiting user logon and always running script as root

Mike,

Has your system been converted to trusted? I don't really understand why it worked via SAM but not via direct editing of /etc/passwd and /etc/shells. On my non-trusted, 10.20 system, I was able to do it just like I detailed in my first reply.

Maybe on trusted systems there is additional magic that must be done and SAM does it automatically. Now that the magic appears to have been done, you may be able to add/modify additional users be editing /etc/passwd.

-sam
0 Kudos
Reply
Mike Rightmire
Frequent Advisor

тАО02-21-2001 11:24 AM

тАО02-21-2001 11:24 AM

Re: Limiting user logon and always running script as root

Hey Sam,

I really can't answer the question of whether the system has been converted to trusted, as I really just inherited them.

How would I check?
"If we treated each person we met as if they were carrying an unspeakable burden, we might almost treat each other as we should." Dale Carnegie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.