HPE Community
Operating System - HP-UX
1837097 Members
2204 Online
110112 Solutions
New Discussion

Re: How to limit access authorization

 
SOLVED
Go to solution
Liang-hong Ye
Occasional Contributor

‎07-17-2001 06:48 PM

‎07-17-2001 06:48 PM

How to limit access authorization

I created an user and created a file system for him, now I want to limit his authoriztion.

1.this user just can use the directory which assign to him.
2.this user should cannot read, write other directories.
3.This user should can use the most of the Unix commands under this directory.

Anyone can help me? thanks.
0 Kudos
Reply
7 REPLIES 7
James R. Ferguson
Acclaimed Contributor

‎07-17-2001 07:24 PM

‎07-17-2001 07:24 PM

Solution

Re: How to limit access authorization

Hi:

I would consider setting up the user in a restricted shell (/usr/bin/rsh). From the man pages for 'sh-posix' note:

/quote/

rsh is used to set up login names and execution environments where capabilities are more controlled than those of the standard shell. The actions of rsh are identical to those of sh, except that the following are forbidden:

+ Changing directory (see the cd special command and cd(1))

+ Setting the value of SHELL, ENV, or PATH

+ Specifying path or command names containing /

+ Redirecting output (>, >|, <>, and >>)

The system administrator often sets up a directory of commands (usually /usr/rbin) that can be safely invoked by rsh.

/end_quote/

...JRF...
Reply
Michael Tully
Honored Contributor

‎07-17-2001 07:55 PM

‎07-17-2001 07:55 PM

Re: How to limit access authorization

Hi,
I would suggest setting up these type of users
into a resticted shell or rsh as more commonly
known. Once set up these users are more
tightly controlled within their own environment,which means they are basically only allowed to be within the confines of their own home directory.

A look at the man page 'sh-posix' is definitely
worth it. If there programs that need to be run
by these type of users, they are usually placed
in a directory called /usr/rbin. An example of one of these is 'red' or a restricted 'ed'

HTH
Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Mr LAMARTA
Advisor

‎07-18-2001 11:48 PM

‎07-18-2001 11:48 PM

Re: How to limit access authorization

hello,
As Michael and James said dont forget to set up /usr/rbin otherwise your efforts to restrict access could be broken by a simple invocation of ksh !!!
Seb
0 Kudos
Reply
Liang-hong Ye
Occasional Contributor

‎07-19-2001 12:26 AM

‎07-19-2001 12:26 AM

Re: How to limit access authorization

Thanks for your help.

I've tried to use rsh before but it also has some problems.

1. The user can use such as 'ls ..' to list other directories. What I want is he cannot view anything in other directories.
2. The user cannot 'cd 'to the subdirectories which created by himself.

How to resolve these problems?
0 Kudos
Reply
Michael Tully
Honored Contributor

‎07-19-2001 12:44 AM

‎07-19-2001 12:44 AM

Re: How to limit access authorization

Hi,

Only other thing I readily think of is to have the user(s) in a captive menu, where you would have a selection where they can view their sub-directory, then once they hit another key, returns them to back into the menu again. If you cannot get one started let the forum know, there should be a lot of them around. I can give an example when I am in my office again tomorrow (Sydney time).

HTH
Michael
Anyone for a Mutiny ?
0 Kudos
Reply
Jacob_3
Occasional Contributor

‎07-19-2001 01:10 AM

‎07-19-2001 01:10 AM

Re: How to limit access authorization

We have almost the same problem. We also want to prevent the user from some commands like ftp and telnet.

We found out that the best way is using CA eTrust AccessControl, but it is expensive (~5K per server) and not very easy to work with. But it does the work really good.
0 Kudos
Reply
Brian Markus
Valued Contributor

‎07-29-2001 09:35 PM

‎07-29-2001 09:35 PM

Re: How to limit access authorization

Under linux, and Solaris you can make something called a CAGED environment. Linking the binarys etc. they have almost thier own unix box.
/home/baduser/bin
/home/baduser/etc
/home/baduser/opt
all of those . They see /home/baduser as / and can't get any farther. I've never tried it under HP-UX, I'm not sure if it's possible. That might be the way to go if it's possible.

Hope you can find something on it.

Good luck

Brian
When a sys-admin say's maybe, they don't mean 'yes'!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.