Operating System - HP-UX
1830178 Members
2167 Online
109999 Solutions
New Discussion

how to limit commands and execution of

 
SOLVED
Go to solution
Rick Garland
Honored Contributor

how to limit commands and execution of

Hi all:

Working with HPUX 11.00 systems - mostly L class systems.

Got a request to limit an acct. I can limit the acct from roaming by using the rsh as the shell but additional to the request is to limit the commands to only telnet & ftp and to limit these 2 commands to only a specific host. Example, acctA has login access only to systemA (using the rsh to restrict their movements). Once on systemA they can only telnet/ftp to systemB - they can NOT do this to systemC, systemD, systemN,...

Can I setup this type of security? How?

Many thanks!
8 REPLIES 8
James A. Donovan
Honored Contributor

Re: how to limit commands and execution of

best way I can think of doing this is to use the sudo utility.

Remember, wherever you go, there you are...
Sridhar Bhaskarla
Honored Contributor
Solution

Re: how to limit commands and execution of

Hi Rick,

Yes. The trick is in setting the PATH. Once you created the user with restricted shell, edit his/her .profile and delete all other paths and add only PATH=/usr/rbin

In /usr/rbin, create a script call systemB. systemB contains nothing but "/usr/bin/telnet systemB"

If you want him to access other commands, you can simply copy them from /usr/bin into this directory.

He will not be able to execute anything other than in /usr/rbin directory.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Patrick Wallek
Honored Contributor

Re: how to limit commands and execution of

What about some combination of a chroot'ed environment, with just telnet and ftp commands available to them. And then wrapper the telnet and ftp and if $1 is not systemA, then they get some sort of error message.
Michael Tully
Honored Contributor

Re: how to limit commands and execution of

Hi Rick,

If you wanted to make changes to your system and create /usr/rbin etc this would be a reasonable choice. I would look seriously at using 'sudo' only as then you are then only making changes to one file and of course everthing can be logged as well. If your looking at it from a security perspective, you can keep a big brother look at what the user is doing and when.

Cheers
Michael.
Anyone for a Mutiny ?
A. Clay Stephenson
Acclaimed Contributor

Re: how to limit commands and execution of

Bear in mind that even with a telnet systemB command, all this guy has to do is execute his 'systemB' command AND THEN
telnet other systems from there. He still would not be able to get out of his box on the original host but all others would be available to him.
If it ain't broke, I can fix that.
James A. Donovan
Honored Contributor

Re: how to limit commands and execution of

but...if you have sudo installed on systemB, then you can again use that utility to restrict what commands the user can run from that box!
Remember, wherever you go, there you are...
Rick Garland
Honored Contributor

Re: how to limit commands and execution of

Hey folks:

Many thanks for the input. Long story short, the PATH, rsh, and sudo are working together. There is some setup involved but for the meantime it appears to be functioning as intended.

Also, if they get to systemB and can go anywhere else, that is the job of the administrators on systemB since I do not have admin rights on systemB. (systemB is actually a system in PA). But if they come back to systemA I am only allowing them to access systemB.

Once on systemB I cannot control where they go to or what they do. They have a separate login account over there with a separate group of admins and a whole different set of rules to follow.
A. Daniel King_1
Super Advisor

Re: how to limit commands and execution of

To reemphasize, you have to be very careful about your path in rksh. If there is another shell in the path, you can simply run that shell. This will then allow your "restricted" user to roam the system at will.
Command-Line Junkie