HPE Community
Operating System - HP-UX
1832844 Members
2706 Online
110047 Solutions
New Discussion

Re: ID to run specific command

 
SOLVED
Go to solution
so.nimda
Super Advisor

‎04-22-2008 06:43 PM

‎04-22-2008 06:43 PM

ID to run specific command

Hi,

I have a junior administrator whom I would like him to do some specific OS task.

I do not want to grant him root access and assigning UID 0 is a definite no.

I have read in posts here that "sudo" can be used, but wouldn't that also allow commands like "rm *.*" to be executed also?

Is there a way for me to only limit his access to certain specific commands like, for example, "lpstat"?

Thanks in advance.
0 Kudos
Reply
12 REPLIES 12
Jeeshan
Honored Contributor

‎04-22-2008 06:55 PM

‎04-22-2008 06:55 PM

Re: ID to run specific command

Hi

Do you heard about ACL?

May be this way can help you.
a warrior never quits
0 Kudos
Reply
so.nimda
Super Advisor

‎04-22-2008 07:11 PM

‎04-22-2008 07:11 PM

Re: ID to run specific command

Hi ahsan,

Could you care to elaborate on ACL?

How do I implement it?

Thanks
0 Kudos
Reply
Jeeshan
Honored Contributor

‎04-22-2008 07:23 PM

‎04-22-2008 07:23 PM

Re: ID to run specific command

Hi again

read this

http://docs.hp.com/en/5992-2146/ch09s05.html
a warrior never quits
0 Kudos
Reply
Kapil Jha
Honored Contributor

‎04-22-2008 07:35 PM

‎04-22-2008 07:35 PM

Re: ID to run specific command

If you or your management have hired him , i suppose you have to believe in him.
Nobody is crazy to fire rm * on a system if he has worked on UNIX.
Just ask him to take care while working then he would be more productive.
If you want him to run only a coulple of command try ACL as said by Ahsan or you have use restricted shell and copy some of basic command (if they are very few) in his shell.
BR,
Kapil
I am in this small bowl, I wane see the real world......
0 Kudos
Reply
so.nimda
Super Advisor

‎04-22-2008 07:38 PM

‎04-22-2008 07:38 PM

Re: ID to run specific command

Thanks for the link.

I have read it and it seems that it's for SD (software distribution).

How do I go about implementing it for OS command like "lpstat", or "ls"?

Thanks
0 Kudos
Reply
so.nimda
Super Advisor

‎04-22-2008 07:50 PM

‎04-22-2008 07:50 PM

Re: ID to run specific command

Hi Kapil,

Thanks for your reply.

It's just a precaution that I would like to take as he fresh with zero unix knowledge.

"Nobody is crazy to fire rm * on a system if he has worked on UNIX"? Fact is - he has never worked in a unix environment.

Anyway, as I only need him to perform specific tasks, removing other access would seem more practical than asking him to be careful, as even experience administrators do sometimes make mistakes, too. ;)





0 Kudos
Reply
Kapil Jha
Honored Contributor

‎04-22-2008 07:56 PM

‎04-22-2008 07:56 PM

Solution

Re: ID to run specific command

thats OK if he does not have any UNIX exp.
well from the beginning u seens to be intersted in lpstat command.
You can copy this command in this home directory....and it will work for him....
BR,
Kapil
I am in this small bowl, I wane see the real world......
Reply
Jeeshan
Honored Contributor

‎04-22-2008 08:24 PM

‎04-22-2008 08:24 PM

Re: ID to run specific command

Hi

may be this can help you briefly

http://docs.hp.com/en/B2355-90950/ch08s04.html

You may consider another thing. Give him a account with restricted shell and copy the commands he need to do his job.
a warrior never quits
Reply
so.nimda
Super Advisor

‎04-22-2008 09:03 PM

‎04-22-2008 09:03 PM

Re: ID to run specific command

Thanks, ahsan & Kapil

Will explore the shell alternative for him.

Regards
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎04-23-2008 01:21 AM

‎04-23-2008 01:21 AM

Re: ID to run specific command

>Is there a way for me to only limit his access to certain specific commands like, for example, lpstat?

Yes, you can limit commands to sudo.
There is also HP's RBAC. See these links:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1215907
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1206541
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1204720
Reply
Yogeeraj_1
Honored Contributor

‎04-23-2008 01:57 AM

‎04-23-2008 01:57 AM

Re: ID to run specific command

hi,

you may also wish to write a simple menu driven application that allows him to run the restrictive commands.

In this case, he won't even need to know the command that would be run in the background.

Indeed, SUDO will be the tool of choice in any cases.

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Reply
Ron Irving
Trusted Contributor

‎04-23-2008 04:46 AM

‎04-23-2008 04:46 AM

Re: ID to run specific command

Once he has a little experience, turn him on to this forum. There is a wealth of knowledge here.
Should have been an astronaut.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.