System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

To restrict the PATH on UNIX.

SOLVED
Go to solution

To restrict the PATH on UNIX.

Hi.

I´m trying to restrict the path in an user on Unix.
The user has a home directory in /dir1/dir2/dir3
The are more directorys and I need the user doesn´t join another directory.

Can anybody help me to do this?

My OS is HP-UX B.11.31 U ia64

Thanks.

Regards.
10 REPLIES
Sri_kanth
Advisor

Re: To restrict the PATH on UNIX.

Hi,

For which directory you don't want to access the user you can set the permisstion for that directory,chmod 700
Dennis Handly
Acclaimed Contributor
Solution

Re: To restrict the PATH on UNIX.

The restricted shells, rsh/rksh do not let you use cd. Nor specify files or paths with "/".

Re: To restrict the PATH on UNIX.

Hi Sri sam

I did that procedure but it wasn´t successful.

# cd /tmp
# mkdir dir1
# cd dir1
# mkdir dir2
# cd dir2
# mkdir dir3
# groupadd prueba
# useradd unix
# ll
total 0
drwxr-xr-x 2 root sys 96 May 11 11:44 dir3
# chown unix:prueba dir3
# ll
total 0
drwxr-xr-x 2 unix prueba 96 May 11 11:44 dir3
# cd dir3
# mkdir dir4
# ll
total 0
drwxr-xr-x 2 root sys 96 May 11 11:45 dir4
# chgrp users dir4
# ll
total 0
drwxr-xr-x 2 root users 96 May 11 11:45 dir4
# chmod 770 dir4
# ll
total 0
drwxrwx--- 2 root users 96 May 11 11:45 dir4
# cd ../..
# chgrp users dir2
# chmod 770 dir2
# cd ..
# chgrp users dir1
# chmod 770 dir1

passwd file [/etc/passwd]:
unix:*:115:109::/tmp/dir1/dir2/dir3:/sbin/sh

group file [/etc/group]:
prueba::109:

But when I log in with the unix user, its home directory is in the / directory. I guess it is because the dir1 has 770 Permissions.

---------------------------------------------

Hi Dennis Handly.

Thanks for your response.
It works!

Thank you.

Regards. :)

Re: To restrict the PATH on UNIX.

Hi again.

I have a question about the rsh.
This shell does not allow to change any directory.
Is there a way to can change only in my path?
For example:
$ whoami
dsarmien
$ pwd
/home/dsarmien
$ ll
total 0
drwxr-xr-x 2 dsarmien users 96 May 11 12:47 dir1
$ cd dir1
$ ll
total 0
$ pwd
/home/dsarmien/dir1

But in other directorys the system would restrict the access?
$ cd /
rsh: cd: The operation is not allowed in a restricted shell.
$ cd ../..
rsh: cd: The operation is not allowed in a restricted shell.
$

Any idea?

Thanks.

DASM
Steven E. Protter
Exalted Contributor

Re: To restrict the PATH on UNIX.

Shalom DASM,

1) You can restrict path all you like, the user however can change it back.

2) Your restricted shell is working correctly in your last post. The point is to prevent cd up to root.

3) You have a third option called chroot ssh. Secure Shell (openssh) for HP-UX comes with a script to create a chroot ssh environment, but the response to your cd commands in your last post will be identical.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Dennis Handly
Acclaimed Contributor

Re: To restrict the PATH on UNIX.

>Is there a way to can change only in my path?

rsh allows you to create aliases or functions that can invoke an unrestricted cd.

What you need to do is put enough checking there. Or always insert $HOME in front.
Aneesh Mohan
Honored Contributor

Re: To restrict the PATH on UNIX.

Hi,

>>The are more directorys and I need the user doesn´t join another directory.

You can create a jail and limit a particular user direcoties using chroot in /etc/passwd of the user.

or

Use
/opt/ssh/ssh_chroot_setup.sh


Aneesh
Suraj K Sankari
Honored Contributor

Re: To restrict the PATH on UNIX.

hi,
you need to implement chroot...

http://tldp.org/HOWTO/Chroot-BIND-HOWTO.html

Suraj

Re: To restrict the PATH on UNIX.

Hi Steven, Dennis, Aneesh and Suraj.
Thanks for your responses.

Dennis, please could you tell me how can I insert $HOME in front?
That procedure is in the .profile file?

I understand the chroot is an operation that changes the apparent disk root directory for the current running process and its children, but what do I need to change in /etc/passwd of the user?

I followed the instructions according http://tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html but it was not successful.

Can anybody help me, please?

Thanks

DASM
Dennis Handly
Acclaimed Contributor

Re: To restrict the PATH on UNIX.

>please could you tell me how can I insert $HOME in front? That procedure is in the .profile file?

It turns out it is less than ideal. You can't use aliasing nor functions. Nor can you use the name "cd".

If you set up a bin directory that doesn't allow write access to it or the files under it, you can create a script there called mycd:
#!/usr/bin/sh
cd $HOME/$1
exec /usr/bin/rsh

Then you can just use "mycd directory-path".

Unfortunately you will fork a new rsh each time you use this script:
yuk_rsh 10169 10166 -rsh
yuk_rsh 10185 10169 /usr/bin/rsh