HPE Community
Operating System - HP-UX
1832978 Members
2776 Online
110048 Solutions
New Discussion

Re: Restrict user access to limited directories?

 
SOLVED
Go to solution
RedBack
Frequent Advisor

‎06-12-2003 10:22 AM

‎06-12-2003 10:22 AM

Restrict user access to limited directories?

I have a need to restrict a new user to a single mount point and his home directory. Is there an easy way to limit this users wanderings?
If I create a new group, make it the owner of the filesystem and place the user in only in this group, will this be enough. I'm sure they will still be able to access any directory with 775 permissions. Can I keep an audit of all his commands? This user is an experienced UNIX users and will no how to bypass basic security.
0 Kudos
Reply
11 REPLIES 11
Paul Sperry
Honored Contributor

‎06-12-2003 10:27 AM

‎06-12-2003 10:27 AM

Re: Restrict user access to limited directories?

an audit of all of his commands will be in
/home/users/.sh_history
0 Kudos
Reply
Umapathy S
Honored Contributor

‎06-12-2003 10:35 AM

‎06-12-2003 10:35 AM

Re: Restrict user access to limited directories?

Mark,
You can use restriced shell. Check this thread for more info.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x4b278f960573d611abdb0090277a778c,00.html

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6b165fe8b250d71190080090279cd0f9,00.html

HTH,
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-12-2003 10:41 AM

‎06-12-2003 10:41 AM

Re: Restrict user access to limited directories?

The restricted shell is a good way to keep a user from 'playing' with the system. However, you might be better off changing the user's shell to an application program or menu program where there are no shell commands or the ability to run system commands.


Bill Hassell, sysadmin
0 Kudos
Reply
Bill Douglass
Esteemed Contributor

‎06-12-2003 10:42 AM

‎06-12-2003 10:42 AM

Re: Restrict user access to limited directories?

For securing them in one place, you can make their shell rksh. This restricts them from changing directories, among other things (see ksh man page). You can also do a chroot on their home directory (chroot /home/ /home//usr/bin/ksh as an example). However, when using chroot, you must be sure to copy all binaries and shared libs that are needed into the user's home directory, as all files above that point will be inaccessible.

If you want to safely log user commands, enable accounting (man 1m acct) and use the command

lastcomm

to see what commands the user has executed. The main drawback is that acct does not store command arguments.
0 Kudos
Reply
Umapathy S
Honored Contributor

‎06-12-2003 10:47 AM

‎06-12-2003 10:47 AM

Re: Restrict user access to limited directories?

This may of some help also,

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb62a06350fe2d61190050090279cd0f9,00.html

HTH,
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
0 Kudos
Reply
RedBack
Frequent Advisor

‎06-12-2003 10:48 AM

‎06-12-2003 10:48 AM

Re: Restrict user access to limited directories?

The user still needs to have full access inside the mount point. Creating directories, running programs ect. I just want to restrict him to this one file system.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎06-12-2003 10:48 AM

‎06-12-2003 10:48 AM

Re: Restrict user access to limited directories?

You have quite a dillema on your hands.

First, a restricted shell will help, but you may not be able to use it. rsh puts a user in home jail, and restricts which commands the user has access too. I.E. No networking commands, no ftp, etc...

The bigger issue is the audition piece of it. Basically, you need a full time baby sitter ;)

There used to be a couple 3rd party programs that would allow you to monitor everything in a tty. Since you could monitor, it's just as easy to dump to file.

MVS and OS/400 allow you to log so much you can tell if a user farts at the terminal. Beyond those 2 though, no operating system has this much logging capability.

So, do a google search and see what you can find for a terminal monitor and logger. From a brief search, I found a $60.00 program at:
http://keystroke-loggers.staticusers.net/unix.shtml




Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎06-12-2003 11:04 AM

‎06-12-2003 11:04 AM

Re: Restrict user access to limited directories?

Bill of course makes a good point, you can try to make your own program and have it launch what the users need. However, be very wary of programs which will shell out, such as sam, vi, etc...

Bills method will also let you address the logging part relatively easily.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Dario_1
Trusted Contributor

‎06-12-2003 11:11 AM

‎06-12-2003 11:11 AM

Re: Restrict user access to limited directories?

Mark:

Check these posts:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x85538b82cc91d711abdc0090277a778c,00.html

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xf9428b82cc91d711abdc0090277a778c,00.html

Hope they help.

Regards,

Dario
0 Kudos
Reply
Leif Halvarsson_2
Honored Contributor

‎06-12-2003 11:16 AM

‎06-12-2003 11:16 AM

Solution

Re: Restrict user access to limited directories?

Hi,
Perhaps a possible "workaround". Use a separate computer for this user (on which there is no security problem) and NFS-mount the directory from the computer where he should have limited acess.
Reply
RedBack
Frequent Advisor

‎06-12-2003 11:41 AM

‎06-12-2003 11:41 AM

Re: Restrict user access to limited directories?

Leif,

Great idea, what I will do is set up Linux on a PC. Mount the NFS share of the filesystem that he will need full access to and voila!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.