HPE Community
Operating System - HP-UX
1833858 Members
3175 Online
110063 Solutions
New Discussion

Limit a user to a single program

 
Tristan Savalle
New Member

‎08-10-2001 12:39 AM

‎08-10-2001 12:39 AM

Limit a user to a single program

On a HP-UX 10.20/11 system (with CDE), how can I limit a user to the execution of a single program.

This programs should be launched each time the user logs in (with CDE login screen or with telnet/rlogin/su command). It should be the only program available to the user (no Xterm, no CDE pannel, no other program...).

When the user exits the program, the Unix session should exit too.

Note that the program is a graphical program so if cannot execute (for instance, because DISPLAY is not set, or because terminal screen is not graphical), Unix session should exit immediatly.

Thanks.

--
Tristan Savalle
0 Kudos
Reply
7 REPLIES 7
Robin Wakefield
Honored Contributor

‎08-10-2001 12:50 AM

‎08-10-2001 12:50 AM

Re: Limit a user to a single program

Hi,

You could try setting their login shell to be a wrapper script that, say, performs some environment checks, runs the program, then it will exit at the end and log the user out.

Rgds, Robin
0 Kudos
Reply
Andreas Voss
Honored Contributor

‎08-10-2001 01:19 AM

‎08-10-2001 01:19 AM

Re: Limit a user to a single program

Hi,

here an unsupported procedure:

Change in /usr/dt/bin/Xsession the lines:

dtstart_session[0]="$DT_BINPATH/dtsession"
dtstart_session[1]="$HOME/.xsession"

to

dtstart_session[1]="$DT_BINPATH/dtsession"
dtstart_session[0]="$HOME/.xsession"

(this will change the order for Xsession for looking what session has to be started)

Now you have to create a file $HOME/.xsession in the user home directory with executable rights (chmod 755 $HOME/.xsession)

Copy /usr/dt/config/Xfailsave to $HOME/.xsession.

Within $HOME/.xsession change the line

${CDEDIR}/dtterm -ls

to your needs (your X-application should be started here).

Regards
0 Kudos
Reply
Joseph Chakkery
Valued Contributor

‎08-10-2001 02:05 AM

‎08-10-2001 02:05 AM

Re: Limit a user to a single program

Hello,

My simple way could be put exec statement in .profile of user.

Let say user has to run xyz.exe, then last line of .profile of user should be
exec xyz.exe

So when he logs in it will directly go to program and when he comes out of that program, it logs him out.

Hope this may help u.

Regards
Joe.
Knowledge is wealth
0 Kudos
Reply
Rita C Workman
Honored Contributor

‎08-10-2001 05:55 AM

‎08-10-2001 05:55 AM

Re: Limit a user to a single program

I tend to use the quick & easy method that Joseph mentioned.
I simply put the exec for what program I want them to run upon login into the users .profile...and I also add the command exit on the next line - so when they exit the program they are 'forced' out.

/rcw

0 Kudos
Reply
Magdi KAMAL
Respected Contributor

‎08-10-2001 06:04 AM

‎08-10-2001 06:04 AM

Re: Limit a user to a single program

Hi Savalle,

just put the absolute path of this program as the shell script to that user in /etc/passwd.

you would also desactivate all interrupts in order that the user couldn't work arround what permissions you are setting.

Magdi
0 Kudos
Reply
Andrew Maslin
Frequent Advisor

‎08-10-2001 10:55 AM

‎08-10-2001 10:55 AM

Re: Limit a user to a single program

We have done the previous suggestion of executing the comman in the .profile. I would suggest trapping for errors in the .profile as well to prevent users from bypassing the controls you have in place (such as by pressing ctrl-c while the .profile is executing). I would just put the following command at the beginning of the .profile:
trap "echo error; exit 1" 1 2 3 4 5 6

Andy
0 Kudos
Reply
Joseph C. Denman
Honored Contributor

‎08-10-2001 11:40 AM

‎08-10-2001 11:40 AM

Re: Limit a user to a single program

The above is good!!! Another thing to consider is that puting exit at the end of the .profile will not exit cde if you are not sourcing it. In the $HOME/.dtprofile make sure (usually the last line) states DTSOURCEPROFILE=TRUE. This forces cde to read the .profile.

As far as su???????? This will not work. However, the user should not have another account from which he can su. If he/she does, you should do the same with that account.

Also, I would chmod 755 $HOME/.profile $HOME/.dtprofile (assuming sh/ksh) and chown root:sys $HOME/.profile $HOME/.dtprofile.

Another thing I would do is add the user to /etc/ftpd/ftpusers

Just my thoughts.

...jcd...
If I had only read the instructions first??
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.