HPE Community
Operating System - HP-UX
1856590 Members
12135 Online
104113 Solutions
New Discussion

Re: Limiting a Path for a user with rksh

 
SOLVED
Go to solution
Victor Prasad
Occasional Advisor

‎10-24-2002 06:00 AM

‎10-24-2002 06:00 AM

Limiting a Path for a user with rksh

Hello,

I have 10 users, each with their own Unix ID going to this directory
under rksh:

+test1::0:0:test1 tester:/files/legal/output:/bin/rksh
+test2::0:0:test2 tester:/files/legal/output:/bin/rksh
+test3::0:0:test3 tester:/files/legal/output:/bin/rksh
+test4::0:0:test4 tester:/files/legal/output:/bin/rksh
etc...10

rksh prevent change of directory - but they still have access to
everything in their path.

Is there a way to put a .profile file or something that would alter
the path so they could not use everything in their path?

I tried this:

PATH=`echo "$PATH" | sed 's=:/usr/tools/bin:=:=g'`
export PATH

in a .profile file but would that not have to be shared by all users,
or 1 created for each? How would I get this .profile to execute for
each user?

Or any other suggestions?


The path:

echo $PATH
/home/test1/bin:/usr/tools/bin:/usr/bin:/opt/corp/bin:

This path is defaulted for everyone - and I am not sure where it is
assigned.

I just want to restrict users who have logged into
/files/legal/output:/bin/rksh
to NOT have access /usr/tools/bin.

Help?

Thanks,

V
Why doesn't this work....?
0 Kudos
Reply
6 REPLIES 6
MANOJ SRIVASTAVA
Honored Contributor

‎10-24-2002 06:24 AM

‎10-24-2002 06:24 AM

Solution

Re: Limiting a Path for a user with rksh

Hi V

May be this can help :

10.3.1 Restricted Shell
The restricted shell is designed to put the user into an environment where his or her ability to move around and write files is severely limited. It's usually used for "guest" accounts. You can make a user's login shell restricted by putting rksh or ksh -r in the user's /etc/passwd entry.

The specific constraints imposed by the restricted shell disallow the user from doing the following:

Changing working directories: cd is inoperative. If you try to use it, you will get the error message "ksh: cd: restricted".

Redirecting output to a file: the redirectors >, >|, <>, and >> are not allowed.

Assigning a new value to the environment variables SHELL, ENV, or PATH.

Specifying any pathnames with slashes (/) in them. The shell will treat files outside of the current directory as "not found."

These restrictions go into effect after the user's .profile and environment files are run.

This means that the restricted shell user's entire environment is set up in .profile. Since the user can't overwrite that file, this lets the system administrator configure the environment as he or she sees fit.

Two common ways of setting up such environments are to set up a directory of "safe" commands and have that directory be the only one in PATH, and to set up a command menu from which the user can't escape without exiting the shell.

you may also look at :
http://nevada.tpi.pl/books/b022/ch10_03.htm


and

http://google.yahoo.com/bin/query?p=restrict+ls+in+rksh&hc=0&hs=0

All the best .

Manoj Srivastava
Reply
Victor Prasad
Occasional Advisor

‎10-24-2002 08:06 AM

‎10-24-2002 08:06 AM

Re: Limiting a Path for a user with rksh

Thank you for the info.

1) where would I find the ENV info?

2) Since there are 10 (or more users) going into this directory - I woulld have to have a separate .profile for each? Or once the login - is the .profile for that directory execusted?
Please can the users not alter their .profile or chmod it?

Thanks,

V
Why doesn't this work....?
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎10-24-2002 09:08 AM

‎10-24-2002 09:08 AM

Re: Limiting a Path for a user with rksh

Hi Victor


For the users you need to find a comman command set like ls , rm etc and copy these commands in a subdirecorty which become the path in the .profile of the users login home ( restricted etc ) now once this is excuted the user can only run the commnads set up in that directory.


Manoj Srivastava
0 Kudos
Reply
Victor Prasad
Occasional Advisor

‎10-25-2002 06:42 AM

‎10-25-2002 06:42 AM

Re: Limiting a Path for a user with rksh

Thanks for the info yet again!

The problem I having is, users are setup to go to a directory - there is no .profile in that directory. I think they get their defaulted path from /etc a file called PATH. But this PATH is used for many other users. Unfortunately - I cannot change the directory /files/legal/output either.

I was also thinking of these ideas:

1) Could I change this directory to be ftp only? If so - how?

2) Could I change the the login to have the path be altered first then send them to the directory?

i.e.

Instead of +test1::0:0:test1 tester:/files/legal/output:/bin/rksh
send them to +test1::0:0:test1 tester:/files/legal/output:/bin/SCRIPT

Where the SCRIPT changes the path and gives them rksh access?

I am really not sure how to do that - if it is possible.

Any other suggestions?

Thanks for your help and time,

V
Why doesn't this work....?
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎10-25-2002 07:04 AM

‎10-25-2002 07:04 AM

Re: Limiting a Path for a user with rksh

Victor,

One way to restrict what commands a user has access to is to give them access to a path that contains only the commands you have given them acess to, but man that has got to be painfully a manual process. The biggest problem is that many commands rely on the existence of others. Why not just give them access to a menu that gives them access to commands.

live free or die
harry
Live Free or Die
0 Kudos
Reply
MANOJ SRIVASTAVA
Honored Contributor

‎10-25-2002 07:13 AM

‎10-25-2002 07:13 AM

Re: Limiting a Path for a user with rksh

For only restrctive FTP u need to do a man ftpdacees and a man chroot to know more seeting up toe xcite the command in .profile etc will not work in FTP because it doesnt work the way normal login works .


Manoj Srivastava
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.