HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

restricting access

 
SOLVED
Go to solution
kunjuttan
Super Advisor

restricting access

Hi Gurus,
I would like to know what is to be done to restrict users to acess some commands like rm,del etc??ie I want all these commands to be used by root only.
7 REPLIES
Michal Kapalka (mikap)
Honored Contributor

Re: restricting access

hi,

could you please explain me, why you need to make it ??? i think this are standard commands in Unix enviroment, and if you are scared, that the user will delete some system files, you should make some restriction on User permition, normal user can't delete files thats not owned.

mikap
Matti_Kurkela
Honored Contributor

Re: restricting access

First, read the man page of the shell that is used by your users (for the HP-UX default shell, run "man sh-posix" and start reading).

If the commands you want to restrict are shell's internal commands, you need to change the user's shell to a special restricted version (rsh). "man sh-posix" has instructions for setting up the rsh environment: you will need to configure everything that the user is *allowed* to do.
With rsh, you must be careful to not allow the use of any tool that includes the ability to run unrestricted shell commands.

If the commands you want to restrict are available only as separate binaries (e.g. in /usr/bin), you can change their permissions to remove the execute permission from normal users. You might also want to create a group for users that *are* allowed to execute such commands, and make those commands executable by that group only.

Making basic file manipulation commands like "rm" unavailable to regular command line users is usually futile: there are many other ways to delete a file. For example, move another file to overwrite the target file, then move it back. Or if they have access to a C compiler, they could easily build their own rm command.

Your users might learn tricks like that, or they might simply dump all their work on the restricted system to the system administrator (you) because they will really hate reporting every filename mistake to someone else to be fixed. Or they might request root access to the system "because nothing can be done without it": if they can get a boss to approve that, your work to secure the system will become worthless.

What's the actual problem you're trying to solve by restricting access to some basic commands?

MK
MK
Viktor Balogh
Honored Contributor
Solution

Re: restricting access

If you want to protect some files from deletion, set its permission corresponding. That's all. Think about it, everyone might need to remove his/her own files sometimes, otherwise you'll end up with 100% filesystem usage and a lot of garbage.
****
Unix operates with beer.
OldSchool
Honored Contributor

Re: restricting access

"restrict users to acess some commands like rm,del etc??"

A better question might be why do you think you need to do so? It's usually futile, and if you actually manage to do so, you end up having to manage there home directories as well (since they can't clean it up either)

permissions, when appropriately set, should be sufficient

kunjuttan
Super Advisor

Re: restricting access

Thats fine dudes..But I just want to know is there is any way to do it.Thats it..
Vishu
Trusted Contributor

Re: restricting access

Dipesh,

Why dont you try to first find out yourself on the internet or the man pages. I can see whatever doubt you have, you just post here.

Please first try yourelf. There are lots of other forums like this already posted or also there are so many docs available in HP for this. Asking doubts and doubts and doubts only is not the purpose here. I hope you understand this.

People spare their valuable time from their daily routine job to look into this forum to help others. So, please come up with the doubts if you have not found it anywhere else.

Thanks
Viktor Balogh
Honored Contributor

Re: restricting access

>Thats fine dudes..But I just want to know is there is any way to do it.Thats it..

yep, in theory, there's a way:

# ll /usr/bin/rm
-r-xr-xr-x 2 bin bin 28672 Sep 7 2007 /usr/bin/rm

remove the execute flag for group and others:

# chmod g-x /usr/bin/rm
# chmod o-x /usr/bin/rm

But: DON'T TRY THIS AT HOME!!!
****
Unix operates with beer.