HPE Community
Operating System - HP-UX
1827853 Members
1568 Online
109969 Solutions
New Discussion

Block specific command for a user

 
Chris Campbell 77
Advisor

‎02-12-2010 07:02 PM

‎02-12-2010 07:02 PM

Block specific command for a user

We have a user called bnk and do not want this user to execute zcat and cpio. Is it possible to block specific commands to a specific user/group?
0 Kudos
Reply
7 REPLIES 7
Dennis Handly
Acclaimed Contributor

‎02-12-2010 07:40 PM

‎02-12-2010 07:40 PM

Re: Block specific command for a user

Not really. Not unless you replace these commands by a wrapper to check who is using them. And somehow hide the originals away.
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎02-12-2010 09:32 PM

‎02-12-2010 09:32 PM

Re: Block specific command for a user

> Not really. Not unless [...]

man acl

[...]
For example, the following optional access control list entries can be associated with our file:
[...]
(george.%,---)
Deny any access to user george in no specific group.
[...]


Why would this be a useful thing to do? What
damage could a normal user do with these
programs, which he could not do just as
easily with some other programs?
0 Kudos
Reply
Chris Campbell 77
Advisor

‎02-12-2010 09:55 PM

‎02-12-2010 09:55 PM

Re: Block specific command for a user

My boss instruction....
Our application uses a user ID for the environment which the app runs.
The database is backed up using zcat and compressed. He wants to ensure if the user was ever compromised they could not extract the data using zcat and cpio. I told him to use crypt on the compressed files but doesnt think its secure enough.
0 Kudos
Reply
Steven Schweda
Honored Contributor

‎02-13-2010 07:40 AM

‎02-13-2010 07:40 AM

Re: Block specific command for a user

> He wants to ensure [...]

And you can't do that with file permissions
on the data?

And the user can't bring in his own zcat
and/or cpio programs?

> [...] doesnt think its secure enough.

What would be? GnuPG is available. But who
would be doing the encryption? Who's trying
to hide what from whom?

As usual, it might be more helpful if you
described the actual problem which you are
trying to solve, rather than asking how to
implement some sub-ideal "solution".
0 Kudos
Reply
Chris Campbell 77
Advisor

‎02-17-2010 12:37 PM

‎02-17-2010 12:37 PM

Re: Block specific command for a user

There is no problem.
Our backups are done with zcat and cpio via the app we are using . He wanted to know if the application account be restricted from extracting the data. Just wanted to know if it was possible to block maybe using a ACL.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-17-2010 01:06 PM

‎02-17-2010 01:06 PM

Re: Block specific command for a user

Does this same application account create the backups?

Are you wanting it to be able to back up the data with cpio and zcat, but not restore the data using the same commands?
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

‎02-18-2010 05:25 AM

‎02-18-2010 05:25 AM

Re: Block specific command for a user

Hello,

>Our backups are done with zcat and cpio via the app we are using . He wanted to know if the application account be restricted from extracting the data

If some account is used for creating the archive (with zcat), why bother to hide the resulting archive from the person using the same account? I mean if he can access the original data, it is pointless to deny access to some archive that would contain the same data.

Horia.
Best regards from Romania,
Horia.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.