HPE Community
Operating System - HP-UX
1833129 Members
3951 Online
110051 Solutions
New Discussion

How to prevent a users from using a specific command

 
SOLVED
Go to solution
Mouad_1
Frequent Advisor

‎06-29-2005 09:59 PM

‎06-29-2005 09:59 PM

How to prevent a users from using a specific command

How I can prohibit the use of a command by a user (for example tar) ?
0 Kudos
Reply
10 REPLIES 10
Pete Randall
Outstanding Contributor

‎06-29-2005 10:02 PM

‎06-29-2005 10:02 PM

Solution

Re: How to prevent a users from using a specific command

Put an alias for tar in the user's .profile that points to a null command or write a wrapper script for tar that checks the userid before invoking the real tar.


Pete

Pete
Reply
Mouad_1
Frequent Advisor

‎06-29-2005 10:13 PM

‎06-29-2005 10:13 PM

Re: How to prevent a users from using a specific command

Thanks a lot Pete.
I put
alias tar=''
in the .profile of the users
It works fine.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎06-29-2005 10:29 PM

‎06-29-2005 10:29 PM

Re: How to prevent a users from using a specific command

The only problem with either approach is that a knowledgeable user can work around them by invoking the real tar with the full path name of the command. To be really secure, you would actually have to hide the real command somewhere else.


Pete

Pete
0 Kudos
Reply
Mouad_1
Frequent Advisor

‎06-29-2005 10:46 PM

‎06-29-2005 10:46 PM

Re: How to prevent a users from using a specific command

You're right, but inserting these 2 line :
alias /sbin/tar='echo "not allowed : tar"'
alias tar='echo "not allowed : tar"'
into the .profile will do the jobs .
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎06-29-2005 11:35 PM

‎06-29-2005 11:35 PM

Re: How to prevent a users from using a specific command

You can control /sbin/tar execution by putting as,

alias /sbin/tar='echo "Not allowed : tar"'

# alias /sbin/tar='echo "not allowed : tar"'
sh: /sbin/tar=echo "not allowed : tar": Invalid alias name.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎06-29-2005 11:42 PM

‎06-29-2005 11:42 PM

Re: How to prevent a users from using a specific command

Sorry. You can cannot control by putting /sbin/tar as an alias.

You can try with another way by writing a shell wrapper as,

mv /sbin/tar /sbin/tar.org

#!/bin/ksh

if [[ $LOGNAME = "" ]]
then
echo "Permission Denied"
exit 1
else
/sbin/tar.org $@
fi

exit 0
#

save this file as /sbin/tar with bin:bin -r-xr-xr-x permission.

hth.



Easy to suggest when don't know about the problem!
Reply
Mouad_1
Frequent Advisor

‎06-29-2005 11:49 PM

‎06-29-2005 11:49 PM

Re: How to prevent a users from using a specific command

I've tried making alias for both command and its absolute path and it works !? :
$ tar cvf m.tar file*
not allowed : tar cvf m.tar file1 file2
$ /sbin/tar cvf m.tar file*
not allowed : tar cvf m.tar file1 file2

Anyway, reWriting the command with a script as you said seem to be a good idea. Thanks
0 Kudos
Reply
Roland Piette
Regular Advisor

‎07-05-2005 01:09 AM

‎07-05-2005 01:09 AM

Re: How to prevent a users from using a specific command

Hi all

Nice to work with aliases but ..... it doesn't work in subshell.

I try this following under HP-UX 11.0 & 11i :

alias ls="ls -l"
ls
ksh
ls

The second ls doesn't give the same output !

I try also -x option in alias command ... same effect.

This solution is only valid in the current shell.

Best regards.
Roland
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎07-05-2005 02:43 AM

‎07-05-2005 02:43 AM

Re: How to prevent a users from using a specific command

Maybe a bit far fetched,
but to really restrict a user and hinder him from issueing certain commands you would need to capture his login in a chroot or jail environment.
Another approach is followed by concepts like SELinux or role based access control (aka RBAC)
If you search www or knoledgebase on these topics with respect to HPUX I'm sure will find many howtos.
Madness, thy name is system administration
0 Kudos
Reply
Amit Agarwal_1
Trusted Contributor

‎07-05-2005 05:17 PM

‎07-05-2005 05:17 PM

Re: How to prevent a users from using a specific command

Try setting ACL (access control list) for the binary. You can use setacl and getacl commamnds for the same. Please see manpage for more info.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.