- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Avoid users to remove the .profile
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 02:10 AM
08-11-2003 02:10 AM
Sticky bit is not the solution. I tested this.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 02:16 AM
08-11-2003 02:16 AM
Re: Avoid users to remove the .profile
assigning the root:bin ownership, and permission rrr ?
Massimo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 02:18 AM
08-11-2003 02:18 AM
Re: Avoid users to remove the .profile
The user will be able to create files in their home dir by using the group write permission, but will allow others in the same group to enter their directory and do likewise. Perhaps the user who you want to stop removing their .profile should have a group all of thier own.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 02:24 AM
08-11-2003 02:24 AM
Re: Avoid users to remove the .profile
I already found this solution. I hoped someone has found another way around :)
Too bad..... this is a nice feature of HP-UX.
Thanks,
Clemens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 02:26 AM
08-11-2003 02:26 AM
Re: Avoid users to remove the .profile
to read-only.Otherwise user can do whatever he likes.Another options are : using aliases,changing rm binary to point to some another script with conditions checks or (thats a wild one :)) mount read-only .profile
from some place.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:05 AM
08-11-2003 04:05 AM
Re: Avoid users to remove the .profile
1 - the user will not be able to write to their home dir
2 - if the user is in the "group" then they can/will do chmod on their home dir.
I think the only way is to set the permissions of the .profile to 444 (read,read, read) & the ownership root:sys.
To me this is an upside down question, usually security people will be saying "How do we stop people creating .profiles, as it is a security risk"!
Just my 0.02???
Regards
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:18 AM
08-11-2003 04:18 AM
Re: Avoid users to remove the .profile
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:22 AM
08-11-2003 04:22 AM
Re: Avoid users to remove the .profile
Removing write permission to a file doesn't prevent removing from directory.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:23 AM
08-11-2003 04:23 AM
Re: Avoid users to remove the .profile
1. If the permission are 570 on the users home dir and he belongs to the group that has rwx then he CAN write to his home dir. This is what I said in my earlier reply.
2. If the user does NOT own his home dir then he CANNOT change its ownership, so .profile will remain safe and undeleteable (if owned by root:sys and permissions 444).
It is a good solution, and works. Try it yourself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:25 AM
08-11-2003 04:25 AM
Re: Avoid users to remove the .profile
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:42 AM
08-11-2003 04:42 AM
Re: Avoid users to remove the .profile
try this :
mv .profile /tmp/.profile
cp /tmp.profile .profile
vi .profile
chmod 444 .profile
chown root:sys .profile
and noone will ever notice the changes you made ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 04:49 AM
08-11-2003 04:49 AM
Re: Avoid users to remove the .profile
Hi... I did not appriciate the subtlties of your reply!!!
Anyway, I also remember a question on HP certification which said words akin "to which one of these permissions is unsuitable"
a r--r--r--
b rw-rw-r--
c r--rw-rw-
The answer is c because the group & world perms are greater than the owner perms. Hence my heckles were raised as perms of 570.
Regards
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 05:08 AM
08-11-2003 05:08 AM
Re: Avoid users to remove the .profile
how can you mv .profile to /tmp if you dont own the directory you are in ? you get an error; mv: .profile: cannot unlink, Not owner
I have spotted a problem, of course the homedir permissions must be 1570, not 570, in addition to owned by root. The sticky bit needs to be set to ensure only the owner can rm/mv files in it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 05:20 AM
08-11-2003 05:20 AM
Re: Avoid users to remove the .profile
To me, the solution with the sticky bit is bulletproof. I could be wrong, but is it possible in some linux'es they create a 'presonal secondary group' per user in order to provide the functionalities we're dicussing here ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 05:38 AM
08-11-2003 05:38 AM
Re: Avoid users to remove the .profile
of course you can prevent that a user deletes its own .profile but you can not prevent that he/she always use its own one. ie .profile must be readable for the user.
-r--r--r-- 1 root sys 1158 Mar 17 16:35 .profile
Ok I can't change it if .profile has this permissions. But I can do this
cat .profile > .my_profile
No I have a .my_profile with my user permisssions and I can do changes in there.
and I can always do this
$ . ./.my_profile
The only thing that I need for that a directory where I'm allowed to write.
So, if ask your question because some users should not change there environment then you should ask:
CAN I MADE ENVIRONMENT VARIABLES READ ONLY??
I have no idea!!
Roland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 05:56 AM
08-11-2003 05:56 AM
Re: Avoid users to remove the .profile
I had to do a similar thing on my system when I couldnt change the user behavior :-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 06:02 AM
08-11-2003 06:02 AM
Re: Avoid users to remove the .profile
Thanks all for the replies !
Everybody is suggesting more or less a similar workaround, since there is no default solution.
I think I use the workaround from which Kent also suggested.
Thanks ALL,
Clemens
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 09:56 AM
08-11-2003 09:56 AM
Re: Avoid users to remove the .profile
include a check if the user did change his login shell as well.
You might have a correct .profile all in place, but if the user had been able to "chsh /usr/bin/csh" he would be bound to .login and .cshrc instead of .profile
From "man chsh" http://reinolinux.fe.up.pt/cgi-bin/man2html?chsh+1
"... A normal user may only change the login shell for their own account, ...."
Which might certainly not what you want him to do ?
Several doors to close I guess.
Volker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2003 10:05 AM
08-11-2003 10:05 AM
SolutionThis may be a little late, but in the same vein as Kent's reply. Why not put the .profile check in /etc/profile, that way when a user logs in and they're profile is missing a default .profile is copied over. See attached.
I also added some logging so you can see who keeps getting their .profile deleted.
With further tweaking you could do a lookup of the user and copy any custom profile depending on that user's environment needs. I.E. /etc/uskel vs /etc/skel as I used in the example.
later,
bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2003 04:36 AM
08-12-2003 04:36 AM
Re: Avoid users to remove the .profile
Then, once a day, a scheduled job went to each home directory and if the link was missing, it was re-created. If the user put his own .profile in there, it was removed first.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2003 07:06 AM
08-12-2003 07:06 AM
Re: Avoid users to remove the .profile
Solution was at the bottom of /etc/profile:
if [ -f /etc/userprofiles/$LOGNAME ] ;then
. /etc/userprofiles/$LOGNAME
fi
Appropriate permissions made this functional equivalent of $HOME/.profile, but non-tamperable.