HPE Community
Operating System - HP-UX
1834303 Members
2459 Online
110066 Solutions
New Discussion

Allowing certain commands in a restricted shell

 
SOLVED
Go to solution
Michael Campbell
Trusted Contributor

‎08-05-2004 12:38 AM

‎08-05-2004 12:38 AM

Allowing certain commands in a restricted shell

Hi

I am having a bit of trouble using restricted shell.

I have set up a PC with Relection X to use as a Glance monitoring station.

I have set up a gpmuser with /usr/bin/rsh as it's shell, created a bin directory in it's home directory and copied in the gpm program.

I have restricted access to these directories (555 for /home/gpmuser and /home/gpmuser/bin).

PATH=/home/gpmuser/bin in .profile

The trouble starts when I try to connect to the server through the Reflection X program which needs to run /usr/bin/X11/xauth and /usr/bin/X11/hpterm to set the IP address and other parameters for the X Window. I get the "The operation is not allowed in a restricted shell" error. I have also tried to copy these two files into /home/gpmuser/bin and even added /usr/bin/X11 to the PATH but I still get the same error.

Any Help Appreciated

Michael
0 Kudos
Reply
3 REPLIES 3
Cheryl Griffin
Honored Contributor

‎08-05-2004 01:03 AM

‎08-05-2004 01:03 AM

Re: Allowing certain commands in a restricted shell

See rsh Restrictions
http://www.docs.hp.com/hpux/onlinedocs/B2355-60103/00/03/390-con.html

"The system administrator often sets up a directory of commands (usually /usr/rbin) that can be safely invoked by rsh. HP-UX systems provide a restricted editor red (see ed(1) ), suitable for restricted users."

Maybe if you add /usr/bin/X11/xauth and /usr/bin/X11/hpterm to /usr/rbin/xauth and /usr/rbin/hpterm it will work.
"Downtime is a Crime."
0 Kudos
Reply
Steve Steel
Honored Contributor

‎08-05-2004 03:28 AM

‎08-05-2004 03:28 AM

Re: Allowing certain commands in a restricted shell

Hi


I believe that the reflection soft adds the paths so it will always use a / which is not allowed by rsh


Try loggin in with a normal shell and at the end of the users.profile


rsh
exit


Then user will work in rsh and logout afterwards


Can also try
ln -s /usr/bin/X11/hpterm hpterm
ln -s /usr/bin/X11/hpterm xauth

in the users home directory then there is a soft link to the correct commands


Steve STeel
If you want truly to understand something, try to change it. (Kurt Lewin)
Reply
Bill Hassell
Honored Contributor

‎08-05-2004 07:46 AM

‎08-05-2004 07:46 AM

Solution

Re: Allowing certain commands in a restricted shell

A restricted shell is *really* restricted. The $PATH value is meaningless when you add /usr/bin/X11 because it does not exist for that user. The $HOME for this user is all there is...the user sees $HOME as / and cannot cd above /. The commands hpterm, xauth and gpm cannot run without their shared libraries...there are no shared libraries available in the resticted user's directory. You could try copying /usr/lib but that will require 250 to 350 megs of space.

Reflection/X (and tools like hpterm) are really overkill in this situation. You do not need to use Reflection/X to login at all. Just run Reflection/X, then minimize the program so it runs in passive mode. Now use telnet (or better yet, ssh if you have it set up on the HP-UX system). Once you login (a normal user account), set the DISPLAY value with:

export DISPLAY=$(who -muR):0

Now run gpm and it should popup on your PC. If all that works, create a login script which includes setting the DISPLAY value and running gpm, followed by a logout. Once it is working, change the gpmuser shell to the full pathname of the script. Now when the user logs in, gpm will start and once gpm is stopped, the user will be logged out.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.