Operating System - HP-UX
1828466 Members
3318 Online
109978 Solutions
New Discussion

How to set up a Read Only user account in 11.11 UNIX

 
SOLVED
Go to solution
Matthew Ghofrani
Regular Advisor

How to set up a Read Only user account in 11.11 UNIX

Does anyone know of any method to create a user account that has read only privilages short of using nfs and rsh?

Dankeschoen
Life is full of bugs
6 REPLIES 6
Patrick Wallek
Honored Contributor

Re: How to set up a Read Only user account in 11.11 UNIX

Read only to what? This could be done with group permissions and ACL's. This user could be a member of a group called readonly and then you could set up ACL's on the files that this user needs access to.

Bitte!
Matthew Ghofrani
Regular Advisor

Re: How to set up a Read Only user account in 11.11 UNIX

Read only to one particular directory only.

How would the ACL work without changing the permissions of the existing files in that directory?
Life is full of bugs
Peter Nikitka
Honored Contributor
Solution

Re: How to set up a Read Only user account in 11.11 UNIX

Hi,

I assume you mean 'remsh' (remote shell) instead of 'rsh' (restricted shell)?
If not, please correct me.
If you want to get a better security in setting up such a readonly account, drop the remsh support ang change to ssh.

What do you mean by 'using nfs'?

At first sight, there are two answers:
1) It is not possible to do this generally.
2) This is done automatically.

Thoughts to 1)
You can use /bin/false as login shell and set an invalid passwd entry for that user 'readonly'. No one exept root will be able to do a 'su readonly'.

Permitting to dive into NFS mount points will make it impossible to give that user account a shell /bin/false or even a restricted shell.
If you NFS mounts are not readonly, this account will have only special restrictions, when you map this UID to appropriate (non-)privilegs an every NFS server you have access to or you use NIS (e.g.).

Thoughts to 2)
Having a properly configured system with no world writable files, creating this account in a new/unused group will only permit modifying own files.
Setting the permission for $HOME recursivly to 550 for directories and 440 for files - though there may be side effects - will leave only /tmp as a problem.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
Matthew Ghofrani
Regular Advisor

Re: How to set up a Read Only user account in 11.11 UNIX

Thanks Peter.

I did mean no restricted shell and no /etc/exports involvement as I do not care for either one. Having said that, I am interested in th eACL portion of the responses
Life is full of bugs
Peter Nikitka
Honored Contributor

Re: How to set up a Read Only user account in 11.11 UNIX

Hi,

using my solution 2) - user 'readonly' is in a group 'readonly' - you do not need ACLs anyway:
Even a permission of 775 (which is the less restricted one) like
drwxrwxr-x /my/dir/...

where !=readonly, !=readonly will not grant any write permissions to this user.

Since it is generally very very recommended NOT having world writable files/directories, this shouldn't be a stopper.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
Matthew Ghofrani
Regular Advisor

Re: How to set up a Read Only user account in 11.11 UNIX

Thanks but I still don't have an answer that I can go ahead & apply
Life is full of bugs