HPE Community
Operating System - HP-UX
1833059 Members
2988 Online
110049 Solutions
New Discussion

New User ID Restriction

 
take2mir
Advisor

‎12-03-2007 06:21 PM

‎12-03-2007 06:21 PM

New User ID Restriction

I have a task to create a new id that going to used by vendor. The ID profiles are:
1)The ID to be created is MUST be restricted sharing.
2)create for their own user account
3)unable to read/navigate/view other directories
4)unable to write to other directories
able to create their own directory

Your cooperation is highly appreciated.
Thanks in advance
0 Kudos
17 REPLIES 17
Bill Hassell
Honored Contributor

‎12-03-2007 07:52 PM

‎12-03-2007 07:52 PM

Re: New User ID Restriction

I think the requirements are very incomplete. What version of HP-UX are you using? A basic HP-UX system has only two user privileges, root and everyone else. You can control access by group and user level, but the term "other directories" is unclear.

I think you are describing what is called a chroot jail which is best implemented with the restricted shell: rsh or rksh. NOTE: this is difficult to setup because the user will have no access to any directory above $HOME. That means no commands like vi, etc unless a copy is stored in the user's $HOME.

You may have to create a user menu instead. The menu will then limit all commands and access.


Bill Hassell, sysadmin
0 Kudos
Kapil Jha
Honored Contributor

‎12-03-2007 08:18 PM

‎12-03-2007 08:18 PM

Re: New User ID Restriction

For me also Restricted shell is the only good option.
Just search "restricted shell" in search
option of this forum.And you will get good information which may be useful to you.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=876162
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1086048
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=137882

BR,
Kapil
I am in this small bowl, I wane see the real world......
0 Kudos
take2mir
Advisor

‎12-03-2007 08:45 PM

‎12-03-2007 08:45 PM

Re: New User ID Restriction

I use HP-UX 11.11. I have tried to use rsh shell but it have limitation. I can not creat/add new user(correct me if i mistake).
0 Kudos
Kapil Jha
Honored Contributor

‎12-03-2007 09:00 PM

‎12-03-2007 09:00 PM

Re: New User ID Restriction

sorry I did not understand your point.
Not able to create user.
You just create a new user and put its shell as ksh -r (r for restricted).

And your user would be having restricted access.
"man ksh"
BR,
Kapil
I am in this small bowl, I wane see the real world......
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-03-2007 09:06 PM

‎12-03-2007 09:06 PM

Re: New User ID Restriction

>Kapil: put its shell as ksh -r (r for restricted).

That's put its shell as /usr/bin/rsh or /usr/bin/rksh.
0 Kudos
Kapil Jha
Honored Contributor

‎12-03-2007 09:21 PM

‎12-03-2007 09:21 PM

Re: New User ID Restriction

Hi Dennis

>>>That's put its shell as /usr/bin/rsh or /usr/bin/rksh.

from man page of ksh I have
-r If the -r option is present, the shell is a restricted shell

rksh Only
rksh is used to set up login names and execution environments where capabilities are more controlled than those of the standard shell. The actions of rksh are identical to those of ksh, except that the following are forbidden:

Are these thing are different???
Why ksh -r can put shell to /usr/bin/rsh (rsh is remote shell here like rloginn right or wrong).

I just used restricted shell once with ksh -r option and it worked fine.
BR,
Kapil

I am in this small bowl, I wane see the real world......
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-03-2007 09:40 PM

‎12-03-2007 09:40 PM

Re: New User ID Restriction

>Kapil: Are these thing are different???
Why ksh -r can put shell to /usr/bin/rsh

For the passwd entry, you can only provide the path of the shell but no options. So rsh or rksh is needed.

>(rsh is remote shell here like rlogin right or wrong).

No, rsh is the restricted Posix shell. remsh(1) is the remote shell. (On HP-UX)

>I just used restricted shell once with ksh -r option and it worked fine.

Sure but you can't add -r to /etc/passwd.
0 Kudos
Kapil Jha
Honored Contributor

‎12-03-2007 09:55 PM

‎12-03-2007 09:55 PM

Re: New User ID Restriction

Yeh I remember now....i added in .profile I suppose.
Thanks for the clarification!!!!!
BR,
Kapil
I am in this small bowl, I wane see the real world......
0 Kudos
take2mir
Advisor

‎12-04-2007 05:48 PM

‎12-04-2007 05:48 PM

Re: New User ID Restriction

Emm..i mean that, when i used rsh shell, i can not add new user. For example my login id now is ncps01, using rsh shell. Then i want to add new user, ncps02. When i try to execute command 'useradd -m ncps02', it can not work.

Can both of you please give me the details step that should i take to make sure the new id that i created have the profile above?
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-04-2007 06:19 PM

‎12-04-2007 06:19 PM

Re: New User ID Restriction

>i mean that, when i used rsh shell, i can not add new user.

I'm not sure I see the connection between you as root and the users you are adding?

>For example my login id now is ncps01, using rsh shell. Then i want to add new user, ncps02. When i try to execute command 'useradd -m ncps02', it can not work.

You must be root to add more users and your shell must be /sbin/sh.

>Can both of you please give me the details step that should i take to make sure the new id that i created have the profile above?

I don't know if rsh will do all of the above but here is how to add it:
# useradd -m ncps02 -s /usr/bin/rsh
0 Kudos
take2mir
Advisor

‎12-04-2007 06:55 PM

‎12-04-2007 06:55 PM

Re: New User ID Restriction

I have tried. After creating a new directory, the ID is unable to navigate the just created directory.
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-04-2007 08:59 PM

‎12-04-2007 08:59 PM

Re: New User ID Restriction

>After creating a new directory, the ID is unable to navigate the just created directory.

Unfortunately rsh won't let the user change the directory.
0 Kudos
take2mir
Advisor

‎12-04-2007 10:13 PM

‎12-04-2007 10:13 PM

Re: New User ID Restriction

Is there any other options?
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-04-2007 10:32 PM

‎12-04-2007 10:32 PM

Re: New User ID Restriction

I think you are limited to what Bill mentioned.
Unless you can use ACLs, getacl(1) & setacl(1).
0 Kudos
Kapil Jha
Honored Contributor

‎12-04-2007 10:37 PM

‎12-04-2007 10:37 PM

Re: New User ID Restriction

>>>1)The ID to be created is MUST be restricted sharing.
>>>2)create for their own user account
>>>3)unable to read/navigate/view other directories
>>>4)unable to write to other directories



u r not able to change directory i thinak thats what u want ur 3rd requirement.
It ful fill ur 4th requirement also.
BR,
Kapil
I am in this small bowl, I wane see the real world......
0 Kudos
take2mir
Advisor

‎12-04-2007 10:45 PM

‎12-04-2007 10:45 PM

Re: New User ID Restriction

Yup but not for his own created directory..
0 Kudos
take2mir
Advisor

‎12-12-2007 01:16 AM

‎12-12-2007 01:16 AM

Re: New User ID Restriction

Thank you folks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.