HPE Community
Operating System - HP-UX
1755097 Members
1568 Online
108829 Solutions
New Discussion юеВ

rexec

 
SOLVED
Go to solution
Ihab Zaki
Advisor

тАО11-02-2003 05:53 PM

тАО11-02-2003 05:53 PM

rexec

Hello,

Is there a way to ban only one user from using rexec.

I know that I can comment the 'exec' line in /etc/inetd.conf but this will ban all users.

Thanks,
Ihab
0 Kudos
Reply
8 REPLIES 8
Mark Grant
Honored Contributor

тАО11-02-2003 05:58 PM

тАО11-02-2003 05:58 PM

Re: rexec

You can use /var/adm/inetd.sec to limit individual IP's and hosts from running services.

It will look something like the following but check out "man inetd.sec"

exec deny 10.0.8.231
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Graham Cameron_1
Honored Contributor

тАО11-02-2003 07:16 PM

тАО11-02-2003 07:16 PM

Re: rexec

Further to Mark's suggestion, note that you will have to modify the inetd.sec file on each remote system you want to stop the user getting out to.

You could consider writing a wrapper for rexec on the local system, but it's not so clean a solution.

-- Graham
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
0 Kudos
Reply
Ihab Zaki
Advisor

тАО11-02-2003 10:46 PM

тАО11-02-2003 10:46 PM

Re: rexec

This applies to host / IP but not to user level, in my case I want to ban a user not a machine
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО11-03-2003 12:39 AM

тАО11-03-2003 12:39 AM

Solution

Re: rexec

You can do this but it's going to be really annoying. You can make sure that each user that uses rexec has a .rhosts file except the one you want to stop and that /etc/hosts.equiv does not contain a reference to the originating host.

This is going to be a pain to manage if you have a lot of users using rexec.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Graham Cameron_1
Honored Contributor

тАО11-03-2003 12:53 AM

тАО11-03-2003 12:53 AM

Re: rexec

I don't think the suggestion re .rhosts will help.
Unlike remsh, rexec dies not use .rhosts (or hosts.equiv). It prompts for a password and uses login authentication.

-- Graham
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО11-03-2003 12:56 AM

тАО11-03-2003 12:56 AM

Re: rexec

Graham,

"man rexec"
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Jeff Schussele
Honored Contributor

тАО11-03-2003 12:57 AM

тАО11-03-2003 12:57 AM

Re: rexec

Hi Ihab,

Another option would be to obtain & install Tcp_wrappers software. Using it's /etc/hosts.allow & /etc/hosts.deny files granularity can be taken down to the user level as well as host & subnet levels.

Tcp_wrappers can be obtained here:

http://hpux.cs.utah.edu/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО11-03-2003 12:59 AM

тАО11-03-2003 12:59 AM

Re: rexec

Graham,

Apologies!! You are right, it's a long time since I read the man page for "rexec".

rexec authenticates the same as login!
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.