HPE Community
Operating System - HP-UX
1834522 Members
3432 Online
110068 Solutions
New Discussion

Restricing users to certain directories

 
SOLVED
Go to solution
Kevin Moore_2
Occasional Advisor

‎05-23-2001 05:23 AM

‎05-23-2001 05:23 AM

Restricing users to certain directories

Hi,

We have a number of users to log in to our HP-UX 11.00 systems to analyze log files. They only need to be able to read (not edit) the files in one directory. Can this be forced?
I was thinking of setting there home directory to the logdir, and then somehow disabling the cd command.
Does anyone know how to do this or maybe have better ideas on how to accomplish.

Many thanks,
Kevin
Never put something off, for it may be your last chance
0 Kudos
Reply
7 REPLIES 7
Stefan Farrelly
Honored Contributor

‎05-23-2001 05:26 AM

‎05-23-2001 05:26 AM

Re: Restricing users to certain directories


use the restricted shell (rsh), this disables the cd command completely. See man page on sh-posix for section on rsh
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Thierry Poels_1
Honored Contributor

‎05-23-2001 05:37 AM

‎05-23-2001 05:37 AM

Re: Restricing users to certain directories

yep, rsh is nice, but if the user is able to start another shell, then he's back free to go wherever he wants.
regards,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Kevin Moore_2
Occasional Advisor

‎05-23-2001 05:41 AM

‎05-23-2001 05:41 AM

Re: Restricing users to certain directories

Thanks Stefan,

rsh is a good start, but the users have a fair idea of whats going around. They can still view files using more /whatever/file.xxx
It would be an impossible job to try and change permissions on all the files.
What I am looking to do exactly, is let them view files in one directory, and nowhere else. I don't even want them to be able to ls
I know it's probably a huge task, just looking for a place to start.
I was originally thinking of using FMLI, but my HP TAM says it is not available on HP-UX

Kevin
Never put something off, for it may be your last chance
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎05-23-2001 05:44 AM

‎05-23-2001 05:44 AM

Re: Restricing users to certain directories


Instead of using rsh you can accomplish what you want simply with permissions. With the directory and files set to read only there is no way someone will be able to modify them.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
David Lodge
Trusted Contributor

‎05-23-2001 09:11 AM

‎05-23-2001 09:11 AM

Solution

Re: Restricing users to certain directories

None of the above solutions are perfect.

The only real way of doing this is to force the user into a restricted chrooted environment.

This can be done coding a login shell which chroot's the user to the area.

Or, the easiest way is to do it via FTP and ftpaccess - this means the users will only be able to FTP in, but you can restrict them easily.

FOr more details on this check the ftpaccess man page
Reply
Mark Fenton
Esteemed Contributor

‎05-23-2001 05:03 PM

‎05-23-2001 05:03 PM

Re: Restricing users to certain directories

Could you achieve your goal with their profile set to root to the log directory and then the shell they receive be the rsh? something like a passwd entry of

usera:x:uid:gid:comment:/logdir:/usr/bin/rsh

presupposes you are not using NIS (or NIS+) if there are multiple UNIX boxes in the domain....
0 Kudos
Reply
Kevin Moore_2
Occasional Advisor

‎05-24-2001 02:40 AM

‎05-24-2001 02:40 AM

Re: Restricing users to certain directories

Thanks a million David,

Your suggestion on chroot definetly looks like the right way to go. Don't suppose you know where there is good documentation on this, or an example of what I am try to do, as I haven't been able to find any.

Thanks again for the great idea
Kevin
Never put something off, for it may be your last chance
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.