Hi,
>1. I can't use that user to ftp to his own home directory, which is a must:
Are you sure you put rksh in /etc/shells?
cta:/home/rgu $ ftp draco
Connected to draco.
220 draco FTP server (Version 1.1.214.4 Mon Feb 15 08:48:46 GMT 1999) ready.
Name (draco:vbe): rgu
331 Password required for rgu.
Password:
230 User rgu logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
cta:/home/rgu $ echo $SHELL
/usr/bin/rksh
cta:/home/rgu $
>2. Although the user can't use "cd" after login, but he/she can list other directories and files, and read/vi them with full path...
Quite true! But this is only because you let that account do so...
From the mans:
rksh Only
rksh is used to set up login names and execution environments where
capabilities are more controlled than those of the standard shell.
The actions of rksh are identical to those of ksh, except that the
following are forbidden:
+ Changing directory (see cd(1))
+ Setting the value of SHELL, ENV, or PATH
+ Specifying path or command names containing /
+ Redirecting output (>, >|, <>, and >>)
The restrictions above are enforced after the .profile and ENV files
are interpreted.
When a command to be executed is found to be a shell procedure, rksh
invokes ksh to execute it. Thus, the end-user is provided with shell
procedures accessible to the full power of the standard shell, while
being restricted to a limited menu of commands. This scheme assumes
that the end-user does not have write and execute permissions in the
same directory.
When a shell procedure is invoked from rksh, the shell interpreter
specified with the #! magic inherits all the restricted features of
rksh. So, the shell procedures written for execution under rksh with
the intent of utilizing the full power of the standard shell should
not specify an interpreter with #!.
These rules effectively give the writer of the .profile file complete
control over user actions, by performing guaranteed set-up actions and
leaving the user in an appropriate directory (probably not the login
directory).
The system administrator often sets up a directory of commands
(usually /usr/rbin) that can be safely invoked by rksh. HP-UX systems
provide a restricted editor red (see ed(1)), suitable for restricted
users.
So start by customyzing the .profile!
I believe you have all the needed information to continue now...
Good luck and
All the best
Victor
