HPE Community
Operating System - HP-UX
1836469 Members
2141 Online
110101 Solutions
New Discussion

kind of user

 
SOLVED
Go to solution
Meirone Luca
Occasional Advisor

‎02-05-2001 06:29 AM

‎02-05-2001 06:29 AM

kind of user

Hi,
I have to create a table defining user policies. On HP-UX what kind of user can I define? (I want to define e.g. normal users that can do telnet, rcp, rlogin and users that can do only ftp from other hosts). Is it to possible to define groups with different policies (such as under NT?)
Meirone Luca
0 Kudos
Reply
4 REPLIES 4
Bruce Regittko_1
Esteemed Contributor

‎02-05-2001 08:36 AM

‎02-05-2001 08:36 AM

Solution

Re: kind of user

Hi,

It is not quite as easy to define groups of users as it is under NT. One way to do it is to give the user a restrictred shell and set his/her PATH variable to a directory that only has the utilities you want him/her to run.

Allowing a user only remote ftp access is easier. In /etc/passwd, give this person a shell of /usr/bin/false. (This is the seventh or last field of the file.) This will prevent normal terminal based logins but will allow ftp logins.

If the above does not work, make sure /usr/bin/false is present in the /etc/shells file. (You will probably want to put /usr/bin/sh, /sbin/sh, /usr/bin/ksh, and /usr/bin/csh in this file, as well.) See the man page for shells and ftpd for more information.

--Bruce
www.stratech.com/training
Reply
Gerard Leclercq
Trusted Contributor

‎02-05-2001 11:34 PM

‎02-05-2001 11:34 PM

Re: kind of user

Hello,

Just a thing about rsh.
It is not 100% safe. If you use an application which can change
directory and run a shell (which will be restricted), it is as if
you are in a normal shell.

Try this :
Log as user in a rsh
run vi
:cd /tmp (change directory under vi )
:sh (run a shell)

Bye
0 Kudos
Reply
Gerard Leclercq
Trusted Contributor

‎02-08-2001 01:07 AM

‎02-08-2001 01:07 AM

Re: kind of user

Hello again,

I am just thinking another possibility : ACL (Access Control List)
This is an extension of unix file permissions.
ACL permits you to put any permissions for any user on any file.

You just have to disallow permission rwx to access directory or file to the users to be restricted.

The problem is not to forget to disallow permission to new data or applications filesets or disks you add to your system (Physically or by NFS)

Bye
Gerard
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-08-2001 02:26 AM

‎02-08-2001 02:26 AM

Re: kind of user

Hi,

If you want wish specific groups of users to have access to specific commands, one feasible way would be to create a menu system of commands such as telnet using lynx or a script.

What is important to remember is that you should trap signals before and after running the menu system ie.

Before running: trap "" 1 2 3
After running: trap 1 2 3

Remember also to disable lynxexec so that the user cannot shell out from lynx itself.

You can modify your /etc/profile such that if a user belongs to GID XXX, then a group-specific menu system is run.

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.