HPE Community
Operating System - HP-UX
1752812 Members
5676 Online
108789 Solutions
New Discussion

Re: No rights to create a file called cat,ll

 
zxcv
Super Advisor

‎07-23-2012 02:17 AM

‎07-23-2012 02:17 AM

No rights to create a file called cat,ll

Hi ,

 

In my envt a user must not be able to create files such as cat , ll , mv  which are standard unix commands.

How can i achieve this ?

 

O.S hpux 11iv2

0 Kudos
Reply
7 REPLIES 7
Dennis Handly
Acclaimed Contributor

‎07-23-2012 02:52 AM

‎07-23-2012 02:52 AM

Re: No rights to create a file called cat,ll

What can the users do?  To prevent them from creating files by this name, you have to disallow mv, chmod, touch, cat, cp, editors, etc.

Reply
zxcv
Super Advisor

‎07-23-2012 06:19 AM

‎07-23-2012 06:19 AM

Re: No rights to create a file called cat,ll

Hi Dennis ,

 

how do i disallow them ??

0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎07-23-2012 08:07 AM

‎07-23-2012 08:07 AM

Re: No rights to create a file called cat,ll

Hey;

 

To my knowledge, you really can't prevent this.  If you distrust your users to this point, then they shouldn't have access to the system.  

 

Another way of looking at this: you're trying to fix something that's not a problem.  Even if a user does create a script that has the same name as a normal UNIX utility, the normal utilities will show up in the path statement *before* anything a normal user can create assuming you don't have write access to binary directories for users other than root.  Root and other applicaiton administration accounts need to be limited access: only a specific (small) number of people can access them.

 

So, even if Billy Blackhat does create a 'cat' script, none of the administrative accounts will run it.  However, what if Billy Blackhat has access to a privileged account?  The right answer still isn't the prohibition that you're looking for.  The right answer is some type of change management software: tripwire, OSSEC, soemthing along those lines.  cfengine will also do the trick, but it'd be a bit more work, I'd imagine.

 

Doug O'Leary


------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
Reply
Dennis Handly
Acclaimed Contributor

‎07-23-2012 10:32 AM

‎07-23-2012 10:32 AM

Re: No rights to create a file called cat,ll

>how do I disallow them?

 

Possibly by creating wrappers and making sure that PATH can't be changed.  You probably need a restricted shell.

 

Or if there is a single application you want users to run, you can set up a menu in their .profile so that it just

runs that application.

 

>you really can't prevent this.  If you distrust your users to this point, then they shouldn't have access to the system.

 

Right.

>Even if a user does create a script that has the same name as a normal UNIX utility, the normal utilities will show up in the path statement *before* anything a normal user can create assuming you don't have write access to binary directories for users other than root.

 

That's not true for users.  And better not be true for root (. in PATH).  (If that's what you are trying to protect.)

Reply
Torsten.
Acclaimed Contributor

‎07-23-2012 11:06 AM

‎07-23-2012 11:06 AM

Re: No rights to create a file called cat,ll

This is exactly the reason why you should never have "." in PATH (aspecially as root).


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Reply
Doug O'Leary
Honored Contributor

‎07-23-2012 11:23 AM

‎07-23-2012 11:23 AM

Re: No rights to create a file called cat,ll

 

>>This is exactly the reason why you should never have "." in PATH (aspecially as root).

 

And non-world writable binaries/bin directories

and limited access to root and other administrative accounts

and.. and..

 

I was really trying to avoid drafting a whole UNIX security white paper; however, you and Dennis very accurately (and correctly) pointed out the drawback with my approach.

 

To the original poster: There is a very large amount of tasks that should be done to secure a UNIX box; even more than can be done, but doesn't necessarily have to be done.  What you're asking, even if it is possible, will cause more problems than it will fix.

 

Hope that helps.

 

Doug O'Leary


------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
Reply
Chirag Parikh
Frequent Advisor

‎07-23-2012 09:40 PM

‎07-23-2012 09:40 PM

Re: No rights to create a file called cat,ll

Hi,

 

HP UNIX Containers is the product which might help you for the configuration which you are looking for. 

 

Regards,

Chirag Parikh

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.