HPE Community
Operating System - HP-UX
1833018 Members
2089 Online
110048 Solutions
New Discussion

Re: read only access

 
SOLVED
Go to solution
MRSG
Frequent Advisor

‎07-21-2003 05:37 AM

‎07-21-2003 05:37 AM

read only access

I want to setup a user account which has read only access to the whole system. This should not allow vi, running of scripts, creating or writing to files etc.... but should allow to read all the files and access to any directories. Is this somehow possible ?
0 Kudos
Reply
8 REPLIES 8
Pete Randall
Outstanding Contributor

‎07-21-2003 05:40 AM

‎07-21-2003 05:40 AM

Re: read only access

Not really.


Pete


Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-21-2003 05:47 AM

‎07-21-2003 05:47 AM

Re: read only access

Actually, the only way I can think of to do this is to provide scripted versions of all the commands that this user could possibly want to use in the users' home directory. The scripted versions would have to have the restrictive logic built in and then pass off whatever was deemed to be a safe command to the real command.

Even then, it's a less than ideal solution - and a heck of a lot of work!


Pete


Pete
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎07-21-2003 05:48 AM

‎07-21-2003 05:48 AM

Re: read only access

The closest you can get is using a restricted shell. This will chroot() a user to their home directory, as well as not allow access to the normal binaries in a system.

Since it is a chrooted environment, they will have NO access to the normal system, but you can control what binaries they have access too.

Read the man pages for rsh, and see if this fits your needs.



Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
MRSG
Frequent Advisor

‎07-21-2003 05:52 AM

‎07-21-2003 05:52 AM

Re: read only access

Thanks for your replies...

Is it possible to restrict editing or running scripts by putting restrictions in .profile ?

Somebody mentioned to me about ACL, I dont know what it is... can that help in any ways ?
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎07-21-2003 05:59 AM

‎07-21-2003 05:59 AM

Re: read only access

Typically, restrictions are done through file and directory permissions. ACL's or Access Control Lists are an extension to that functionality. You can take a look at "man setacl", but I don't think this is going to do what you require.

Restricted shell, as Shannon points out, is another possibility, but will not allow access to the whole system, as you required.

Profiles aren't suited to setting up restrictions either.


Pete


Pete
0 Kudos
Reply
Darren Prior
Honored Contributor

‎07-21-2003 06:09 AM

‎07-21-2003 06:09 AM

Re: read only access

Hi,

Although I don't think it's a very nice thing to do there are a couple of possible ways of doing this.

1) set up a CIFS share for / which read only access. Ensure the security is set appropriately as otherwise others could have access to /etc/passwd and other files.

2) set up Apache where the htdocs dir points at /. Ensure security... as before.

I wouldn't suggest you seriously use either of these methods, the only people who should have access to every file on the system are system admins and they would already have the required access.

regards,

Darren
Calm down. It's only ones and zeros...
0 Kudos
Reply
Abskhan
Occasional Advisor

‎07-21-2003 06:22 AM

‎07-21-2003 06:22 AM

Re: read only access

Write a small script which will give options
to browse and read the file and call it from the users profile .

Hope this helps.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎07-21-2003 06:23 AM

‎07-21-2003 06:23 AM

Solution

Re: read only access

No, No, and No I think covers your last questions.

ACL's work on files, and will give read permissions. However, if your in a standard shell, you can force load of executables even without a bit set.

The HP suggestion is to give read access to the whole system with CIFS, and you could also do this with NIS. exportfs / -ro=host.

It seems to me though, that the person actually needs a session on the system. (hence your question about the .profile).

There is absolutely NO way to make a system accessable and remove all access without a restricted shell. In a restricted shell you have access to your home, and very limited shell functions. rsh dis-allows "cd", "pushd", "popd", "mkdir", and many other functions. Basically you can use non-volatile shell commands and tools. I.E.
ls | more

and what ever binaries the Admin gives you access too. I.E. a copy of more or cat in the users home would allow them to use that command.

I'd highly suggest you read the man pages for rsh again, to see if it fits your needs. From what you describe, it's as close as you will get.


If this users is only accessing the system to run a script, why not make the script their default shell?

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.