HPE Community
Operating System - HP-UX
1833874 Members
2425 Online
110063 Solutions
New Discussion

Re: Protect typescript file

 
MohitAnchlia
Frequent Advisor

‎09-13-2006 05:51 AM

‎09-13-2006 05:51 AM

Protect typescript file

We don't want to convert our system to trusted mode but be able to use scripts. Only problem to pursue this further is that user can write to file anytime. Is there a way to avert this, may be some way to audit operation on typescript file by users or some kind of special permissions - which I am incredulous about- to just give append mode access i.e no write or delete access.
0 Kudos
Reply
2 REPLIES 2
Mel Burslan
Honored Contributor

‎09-13-2006 07:23 AM

‎09-13-2006 07:23 AM

Re: Protect typescript file

What you are asking is not possible to do with the services supplied by the operating system. Once you give a user rights to append to a file, he/she can obliterate anything inside the file.

What you need to do is to put some kind of a wrapper around the script command to copy the typescript file once the user exits out of the shell. Something like this

#!/usr/bin/sh
/usr/bin/script /var/tmp/$(whoami)
cat /var/tmp/$(whoami) >> /var/adm/userlogs/$(whoami)
rm /var/tmp/$(whoami)


this code snippet can be placed under a directory which will preceede /usr/bin in the PATH variable and can be named script. Or you can rename script executable and point this command to the renamed executable. Upto you.

This is not a guaranteed way of protection though. Since the user has access to the logfile getting created, they can nullify or modify it while they are in session. By doing this you are relying on "security by obscurity" principle, which is an oxymoron to start with anyway. If your mind is set on security and auditing, you will need a product like PowerBroker in my opinion, short of converting to trusted system
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-13-2006 03:09 PM

‎09-13-2006 03:09 PM

Re: Protect typescript file

Trusted will not do anything to protect scripts that are world-writable. If you have any scripts that are 777 (-rwxrwxrwx) then that is your problem. *NO* script should ever have that value. All scripts should be 755 (-rwxr-xr-x) so that only the owner can change the contents. This is basic Unix permissions. You don't want any user to change any scripts except the ones the user owns. This is called source code control. If anyone can make changes to these scripts, you might as well shutdown the computer as total chaos will soon be the result.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.