Operating System - HP-UX
1832973 Members
2426 Online
110048 Solutions
New Discussion

Restrict user access to limited directories?

 
SOLVED
Go to solution
RedBack
Frequent Advisor

Restrict user access to limited directories?

I have a need to restrict a new user to a single mount point and his home directory. Is there an easy way to limit this users wanderings?
If I create a new group, make it the owner of the filesystem and place the user in only in this group, will this be enough. I'm sure they will still be able to access any directory with 775 permissions. Can I keep an audit of all his commands? This user is an experienced UNIX users and will no how to bypass basic security.
11 REPLIES 11
Paul Sperry
Honored Contributor

Re: Restrict user access to limited directories?

an audit of all of his commands will be in
/home/users/.sh_history
Umapathy S
Honored Contributor

Re: Restrict user access to limited directories?

Mark,
You can use restriced shell. Check this thread for more info.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x4b278f960573d611abdb0090277a778c,00.html

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x6b165fe8b250d71190080090279cd0f9,00.html

HTH,
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
Bill Hassell
Honored Contributor

Re: Restrict user access to limited directories?

The restricted shell is a good way to keep a user from 'playing' with the system. However, you might be better off changing the user's shell to an application program or menu program where there are no shell commands or the ability to run system commands.


Bill Hassell, sysadmin
Bill Douglass
Esteemed Contributor

Re: Restrict user access to limited directories?

For securing them in one place, you can make their shell rksh. This restricts them from changing directories, among other things (see ksh man page). You can also do a chroot on their home directory (chroot /home/ /home//usr/bin/ksh as an example). However, when using chroot, you must be sure to copy all binaries and shared libs that are needed into the user's home directory, as all files above that point will be inaccessible.

If you want to safely log user commands, enable accounting (man 1m acct) and use the command

lastcomm

to see what commands the user has executed. The main drawback is that acct does not store command arguments.
Umapathy S
Honored Contributor

Re: Restrict user access to limited directories?

This may of some help also,

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb62a06350fe2d61190050090279cd0f9,00.html

HTH,
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
RedBack
Frequent Advisor

Re: Restrict user access to limited directories?

The user still needs to have full access inside the mount point. Creating directories, running programs ect. I just want to restrict him to this one file system.
Shannon Petry
Honored Contributor

Re: Restrict user access to limited directories?

You have quite a dillema on your hands.

First, a restricted shell will help, but you may not be able to use it. rsh puts a user in home jail, and restricts which commands the user has access too. I.E. No networking commands, no ftp, etc...

The bigger issue is the audition piece of it. Basically, you need a full time baby sitter ;)

There used to be a couple 3rd party programs that would allow you to monitor everything in a tty. Since you could monitor, it's just as easy to dump to file.

MVS and OS/400 allow you to log so much you can tell if a user farts at the terminal. Beyond those 2 though, no operating system has this much logging capability.

So, do a google search and see what you can find for a terminal monitor and logger. From a brief search, I found a $60.00 program at:
http://keystroke-loggers.staticusers.net/unix.shtml




Regards,
Shannon
Microsoft. When do you want a virus today?
Shannon Petry
Honored Contributor

Re: Restrict user access to limited directories?

Bill of course makes a good point, you can try to make your own program and have it launch what the users need. However, be very wary of programs which will shell out, such as sam, vi, etc...

Bills method will also let you address the logging part relatively easily.

Regards,
Shannon
Microsoft. When do you want a virus today?
Dario_1
Trusted Contributor

Re: Restrict user access to limited directories?

Leif Halvarsson_2
Honored Contributor
Solution

Re: Restrict user access to limited directories?

Hi,
Perhaps a possible "workaround". Use a separate computer for this user (on which there is no security problem) and NFS-mount the directory from the computer where he should have limited acess.
RedBack
Frequent Advisor

Re: Restrict user access to limited directories?

Leif,

Great idea, what I will do is set up Linux on a PC. Mount the NFS share of the filesystem that he will need full access to and voila!!