HPE Community
Operating System - HP-UX
1847152 Members
6686 Online
110263 Solutions
New Discussion

disable chmod

 
SOLVED
Go to solution
romano r
Frequent Advisor

‎01-17-2007 12:53 AM

‎01-17-2007 12:53 AM

disable chmod

On an HP-UX 11i machine, I need to disable the file owner of a number of users to run "chmod, chgrp, chown". Anyone knows how?
Thank you in advance
romano
0 Kudos
Reply
6 REPLIES 6
Peter Godron
Honored Contributor

‎01-17-2007 01:02 AM

‎01-17-2007 01:02 AM

Re: disable chmod

Hi,
use an access control list (acl) for the required command. (JFS Filesystem only)

You then have to specify each restricted user. See "man setacl"
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-17-2007 01:05 AM

‎01-17-2007 01:05 AM

Re: disable chmod

Or rename chmod something else and replace it with a script which will check who the user is and invoke the renamed/hidden chmod if authorized.



Pete

Pete
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

‎01-17-2007 01:20 AM

‎01-17-2007 01:20 AM

Re: disable chmod

Ah! Security through obscurity.
Doesn't really work, ut looks ok.
Any user with network access can pull down a chmod executable or write a program, or use a perl buildin to do the same.

Please try to articulate why chmod would not be permissible and protect the target better rather than hidding the tools.

fwiw,
Hein.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-17-2007 01:23 AM

‎01-17-2007 01:23 AM

Solution

Re: disable chmod

This request was probably prompted by big mistakes made by inexperienced users. There is no clean way to restrict commands like these (and ALL the others like vi, rm, mv, etc). You should be looking at replacing the shell the users have with a menu script. The script provides specific commands and no access to anything outside the script.


Bill Hassell, sysadmin
Reply
Ivan Krastev
Honored Contributor

‎01-17-2007 01:32 AM

‎01-17-2007 01:32 AM

Re: disable chmod

You can implement acl's for this binaries - http://docs.hp.com/en/B9106-90012/acl.5.html


regards,
ivan
0 Kudos
Reply
romano r
Frequent Advisor

‎01-17-2007 01:34 AM

‎01-17-2007 01:34 AM

Re: disable chmod

Thnk you all, for all the interesting answers.
Well, the file system I need to "protect', is a sort of archive, unfortunately not static, ie. could happen that some data must be replaced may be in a month maybe in a year. Furthermore I need to keep the actual owner of the file. Setting 575 to each dir/file of the archive and changing each group to an "archive_admin" group I'm quite happy because just the archive_admin people can modify/update the data in, but the owner of the files can still chmod u+w do the "damage" and so on...
I 'also thought to set 550 the "chmod" and via sudo enable just archive_admin to do that...
For the nfs export there is no problem because I export ro...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.