HPE Community
Operating System - HP-UX
1834003 Members
1814 Online
110063 Solutions
New Discussion

how to create account with strict permissions

 
SOLVED
Go to solution
A.K.
Frequent Advisor

‎01-17-2007 07:10 AM

‎01-17-2007 07:10 AM

how to create account with strict permissions

Hi ,
I have to create a new account for the operators
This account will be generic and will be used by all the operators (this option is instead of creating 30 accounts and than maintain those accounts).
The operators needs to run few basic command and monitor few log files
I want to restrict this account to be able to execute only the command I choose or specify (meaning this account will have strict permissions because of its nature).
Also, I want to be able to monitor who logged in when and from where.
Any ideas???
Thanks
A.k.
0 Kudos
Reply
12 REPLIES 12
A.K.
Frequent Advisor

‎01-17-2007 07:16 AM

‎01-17-2007 07:16 AM

Re: how to create account with strict permissions

BTW,
I am running HPUX 11.00
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎01-17-2007 07:25 AM

‎01-17-2007 07:25 AM

Re: how to create account with strict permissions

I want to able to know who logged in --- the account will be generic. Those are mutually exclusive conditions. It is generally a very bad idea to ever let users share a login because whenever something was done nobody did it and whoever it was it wasn't me. I would be more inclined to create a group and put all of your operators in the group. Probably the best approach for your task is to install sudo because then you will have everything logged and can grant them access to commands that might normally require super-user access (e.g. cancelling printjobs, resetting passwords).

If you are not familiar with sudo then do a search.
If it ain't broke, I can fix that.
0 Kudos
Reply
spex
Honored Contributor

‎01-17-2007 09:33 AM

‎01-17-2007 09:33 AM

Re: how to create account with strict permissions

Hi A.k.,

Also check out rsh (restricted shell). 'man 1 sh-posix' and jump ahead to the "rsh Restrictions" subsection.

PCS
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-17-2007 02:48 PM

‎01-17-2007 02:48 PM

Solution

Re: how to create account with strict permissions

Almost all sysadmins find restricted shell access very difficult to setup and administer. Giving shell access to operators is just not a good idea. Instead, every operator has their own login but their shell is a menu script that allows them to run your selected list of commands. The menu script will not allow interaction with the shell and attempts to break out will simply exit the system.


Bill Hassell, sysadmin
Reply
Raj D.
Honored Contributor

‎01-17-2007 02:58 PM

‎01-17-2007 02:58 PM

Re: how to create account with strict permissions

Ak,
Check # man script . script enables to keep all command and other history of ther user, only need to put script filename in the .profile of the user. You can also restrict using sudo.

hth,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
A.K.
Frequent Advisor

‎01-24-2007 02:30 AM

‎01-24-2007 02:30 AM

Re: how to create account with strict permissions

Hello all,
Thanks for your answers so far.
I know generic user is a bad idea. However, if I use it with sudo I can log all logins and the commands executed.
I liked a lot Billâ s idea for menu script. However, I will leave it as a last resort(since I will have to write it).
Currently, I am trying to combine a restricted user (rsh) together with sudo
The user shell is rsh , Also I edited PATH in .profile PATH=/usr/xbin .
To /usr/xbin directory I copied only the commands I want this user to be able to use.
In /etc/sudoers I added Cmnd_Alias that includes all the commands I specified in /usr/xbin.
Also, specify that the user can execute those command without password.
In .profile I added aliases that append the command to sudo , so the user even donâ t realize that he is using the commands with sudo
Here are couples of examples for the aliases

alias -x view='/usr/xbin/sudo /usr/xbin/view'
alias -x ls='/usr/xbin/sudo /usr/xbin/ls'

My problem is I am getting this error when trying to execute commands

test101@hpws2:/home/test101# ls rsh: /usr/xbin/sudo: The operation is not allowed in a restricted shell.

Anyone has an idea how to resolve this ?

Thanks,
Amir
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-24-2007 06:31 AM

‎01-24-2007 06:31 AM

Re: how to create account with strict permissions

Restricted shell and sudo are incompatible since the reason for a restricted shell is to limit capability and sudo enhances capability. nThe restricted shell also replaces the / directory so the view command can't see anything except the user's $HOME (which is in effect = / by using chroot). I have attached a simple menu script to get you started. To change the user's shelll to this menu, just run the command:

chsh user123 /usr/contrib/bin/menu.sh

Make sure that the script is stored with 755 permission, owned by root. Then just add/change the menu items as needed.


Bill Hassell, sysadmin
Reply
A.K.
Frequent Advisor

‎01-24-2007 07:05 AM

‎01-24-2007 07:05 AM

Re: how to create account with strict permissions

Hi Bill,
Thanks a lot, I think there is a mistake with the attachment.
thanks,
Amir
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-24-2007 01:25 PM

‎01-24-2007 01:25 PM

Re: how to create account with strict permissions

I just tested the attached script and it works OK. What did you find?

I would make one change:

trap "" 2

rather than trap "" 1 2 3. The reason is that the menu should ignore CTRL-C (trap 2) but trap 1 (hangup) should be a normal response so a broken connection will properly terminate the script.


Bill Hassell, sysadmin
Reply
A.K.
Frequent Advisor

‎01-25-2007 02:52 AM

‎01-25-2007 02:52 AM

Re: how to create account with strict permissions

Hi Bill,
Yesterday, when I download your script, I accidentally opened up a different file with a similar name but different content (not sh script).
Anyways, sorry for the confusion and wasting your time over my mistake (If I could I would have compensate you with some extra points).
Your script is a great start, and I am going to start working on this today.

Thanks again !!!!!!!!!
Amir


0 Kudos
Reply
George Liu_4
Trusted Contributor

‎01-25-2007 06:34 AM

‎01-25-2007 06:34 AM

Re: how to create account with strict permissions

using sodu
0 Kudos
Reply
George Liu_4
Trusted Contributor

‎01-25-2007 06:34 AM

‎01-25-2007 06:34 AM

Re: how to create account with strict permissions

using sudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.