HPE Community
Operating System - HP-UX
1834882 Members
2271 Online
110071 Solutions
New Discussion

Re: security

 
SOLVED
Go to solution
John Forbes
Occasional Advisor

‎06-03-2002 10:57 PM

‎06-03-2002 10:57 PM

security

How can i restrict ordinary users form executing commands in /usr/sbin? I'm running hp-ux 10.20.
0 Kudos
Reply
6 REPLIES 6
Michael Tully
Honored Contributor

‎06-03-2002 11:07 PM

‎06-03-2002 11:07 PM

Solution

Re: security

Hi,

There are two ways:

The first and most simplest method is to remove the path from either the 'users' .profile or the systems /etc/profile. The second and a little more drastic method is to change the permissions on the programs in /usr/sbin to be '550'. Doing so may cause one or more of your applications to collapse, but it is worthwhile at least testing.

Cheers
Michael
Anyone for a Mutiny ?
Reply
U.SivaKumar_2
Honored Contributor

‎06-03-2002 11:10 PM

‎06-03-2002 11:10 PM

Re: security

Hi,
There are executables which are already secure
in /usr/sbin which can be run only as root.
eg. gated , sendmail
r-xr-xr-x 1 2 bin 995328 Oct 27 1997 /usr/sbin/gated
Still you can use chmod command to set your own
privileges.
#man chmod
regards,
U.SivaKumar
Innovations are made when conventions are broken
Reply
Peter Kloetgen
Esteemed Contributor

‎06-03-2002 11:25 PM

‎06-03-2002 11:25 PM

Re: security

Hi John,

you can take sbin out of PATH for normal users, but this does NOT disable the commands for them! They still can use absolute pathes to get the commands to work:

/usr/sbin/whatever_command

will work....

To prevent all normal users, you have to change permissions on /usr/sbin, using the chmod- command:

chmod -R 550 /usr/sbin

Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
Reply
John Forbes
Occasional Advisor

‎06-04-2002 12:25 AM

‎06-04-2002 12:25 AM

Re: security

i'm also thinking of the same way, to change the permissions, but kind of hesitant so i posted the question. thanks for your responses.
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎06-04-2002 04:29 AM

‎06-04-2002 04:29 AM

Re: security

John,

The best way is to keep users out of shells and into there applications, that way they can't execute squat! Really, the only users who should be allowed into shells, are System Admin's and DBA's - on production machines.

Don't forget that some /usr/sbin commands are links to /sbin and /usr/lbin.


live free or die
harry



Live Free or Die
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-04-2002 05:52 AM

‎06-04-2002 05:52 AM

Re: security

Hi,

Setting the correct permissions is the cleanest way to go about restricting.

Apart from permissions, some other methods include:

1) setting ACL (access control lists) for the commands in /usr/sbin. You can restrict only superuser and daemons' access to /usr/sbin etc.

man setacl (for JFS) or man chacl (for HFS) for more information.

2) use chroot to create a virtual root which prevents the user in this virtual root directory from accessing the real /usr/sbin.

man chroot for more information.

3) restrict what your users can do via restricted sam. Restricted sam allows you to limit users to specific scripts or commands. It also allows you to specify which users can run what programs with specific user's (can be another user's) privileges.

man sam for more information.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.