- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: No rights to create a file called cat,ll
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 02:17 AM
07-23-2012 02:17 AM
No rights to create a file called cat,ll
Hi ,
In my envt a user must not be able to create files such as cat , ll , mv which are standard unix commands.
How can i achieve this ?
O.S hpux 11iv2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 02:52 AM
07-23-2012 02:52 AM
Re: No rights to create a file called cat,ll
What can the users do? To prevent them from creating files by this name, you have to disallow mv, chmod, touch, cat, cp, editors, etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 06:19 AM
07-23-2012 06:19 AM
Re: No rights to create a file called cat,ll
Hi Dennis ,
how do i disallow them ??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 08:07 AM
07-23-2012 08:07 AM
Re: No rights to create a file called cat,ll
Hey;
To my knowledge, you really can't prevent this. If you distrust your users to this point, then they shouldn't have access to the system.
Another way of looking at this: you're trying to fix something that's not a problem. Even if a user does create a script that has the same name as a normal UNIX utility, the normal utilities will show up in the path statement *before* anything a normal user can create assuming you don't have write access to binary directories for users other than root. Root and other applicaiton administration accounts need to be limited access: only a specific (small) number of people can access them.
So, even if Billy Blackhat does create a 'cat' script, none of the administrative accounts will run it. However, what if Billy Blackhat has access to a privileged account? The right answer still isn't the prohibition that you're looking for. The right answer is some type of change management software: tripwire, OSSEC, soemthing along those lines. cfengine will also do the trick, but it'd be a bit more work, I'd imagine.
Doug O'Leary
------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 10:32 AM
07-23-2012 10:32 AM
Re: No rights to create a file called cat,ll
>how do I disallow them?
Possibly by creating wrappers and making sure that PATH can't be changed. You probably need a restricted shell.
Or if there is a single application you want users to run, you can set up a menu in their .profile so that it just
runs that application.
>you really can't prevent this. If you distrust your users to this point, then they shouldn't have access to the system.
Right.
>Even if a user does create a script that has the same name as a normal UNIX utility, the normal utilities will show up in the path statement *before* anything a normal user can create assuming you don't have write access to binary directories for users other than root.
That's not true for users. And better not be true for root (. in PATH). (If that's what you are trying to protect.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 11:06 AM
07-23-2012 11:06 AM
Re: No rights to create a file called cat,ll
This is exactly the reason why you should never have "." in PATH (aspecially as root).
Hope this helps!
Regards
Torsten.
__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!
If you feel this was helpful please click the KUDOS! thumb below!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 11:23 AM
07-23-2012 11:23 AM
Re: No rights to create a file called cat,ll
>>This is exactly the reason why you should never have "." in PATH (aspecially as root).
And non-world writable binaries/bin directories
and limited access to root and other administrative accounts
and.. and..
I was really trying to avoid drafting a whole UNIX security white paper; however, you and Dennis very accurately (and correctly) pointed out the drawback with my approach.
To the original poster: There is a very large amount of tasks that should be done to secure a UNIX box; even more than can be done, but doesn't necessarily have to be done. What you're asking, even if it is possible, will cause more problems than it will fix.
Hope that helps.
Doug O'Leary
------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2012 09:40 PM
07-23-2012 09:40 PM
Re: No rights to create a file called cat,ll
Hi,
HP UNIX Containers is the product which might help you for the configuration which you are looking for.
Regards,
Chirag Parikh