HPE Community
Operating System - HP-UX
1820233 Members
3264 Online
109620 Solutions
New Discussion юеВ

Re: To restrict the PATH on UNIX.

 
SOLVED
Go to solution
Dami├бn Sarmiento
Advisor

тАО05-11-2010 08:09 AM

тАО05-11-2010 08:09 AM

To restrict the PATH on UNIX.

Hi.

I┬┤m trying to restrict the path in an user on Unix.
The user has a home directory in /dir1/dir2/dir3
The are more directorys and I need the user doesn┬┤t join another directory.

Can anybody help me to do this?

My OS is HP-UX B.11.31 U ia64

Thanks.

Regards.
0 Kudos
Reply
10 REPLIES 10
Sri_kanth
Advisor

тАО05-11-2010 08:36 AM

тАО05-11-2010 08:36 AM

Re: To restrict the PATH on UNIX.

Hi,

For which directory you don't want to access the user you can set the permisstion for that directory,chmod 700
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-11-2010 08:39 AM

тАО05-11-2010 08:39 AM

Solution

Re: To restrict the PATH on UNIX.

The restricted shells, rsh/rksh do not let you use cd. Nor specify files or paths with "/".
Reply
Dami├бn Sarmiento
Advisor

тАО05-11-2010 09:14 AM

тАО05-11-2010 09:14 AM

Re: To restrict the PATH on UNIX.

Hi Sri sam

I did that procedure but it wasn├В┬┤t successful.

# cd /tmp
# mkdir dir1
# cd dir1
# mkdir dir2
# cd dir2
# mkdir dir3
# groupadd prueba
# useradd unix
# ll
total 0
drwxr-xr-x 2 root sys 96 May 11 11:44 dir3
# chown unix:prueba dir3
# ll
total 0
drwxr-xr-x 2 unix prueba 96 May 11 11:44 dir3
# cd dir3
# mkdir dir4
# ll
total 0
drwxr-xr-x 2 root sys 96 May 11 11:45 dir4
# chgrp users dir4
# ll
total 0
drwxr-xr-x 2 root users 96 May 11 11:45 dir4
# chmod 770 dir4
# ll
total 0
drwxrwx--- 2 root users 96 May 11 11:45 dir4
# cd ../..
# chgrp users dir2
# chmod 770 dir2
# cd ..
# chgrp users dir1
# chmod 770 dir1

passwd file [/etc/passwd]:
unix:*:115:109::/tmp/dir1/dir2/dir3:/sbin/sh

group file [/etc/group]:
prueba::109:

But when I log in with the unix user, its home directory is in the / directory. I guess it is because the dir1 has 770 Permissions.

---------------------------------------------

Hi Dennis Handly.

Thanks for your response.
It works!

Thank you.

Regards. :)
0 Kudos
Reply
Dami├бn Sarmiento
Advisor

тАО05-11-2010 09:53 AM

тАО05-11-2010 09:53 AM

Re: To restrict the PATH on UNIX.

Hi again.

I have a question about the rsh.
This shell does not allow to change any directory.
Is there a way to can change only in my path?
For example:
$ whoami
dsarmien
$ pwd
/home/dsarmien
$ ll
total 0
drwxr-xr-x 2 dsarmien users 96 May 11 12:47 dir1
$ cd dir1
$ ll
total 0
$ pwd
/home/dsarmien/dir1

But in other directorys the system would restrict the access?
$ cd /
rsh: cd: The operation is not allowed in a restricted shell.
$ cd ../..
rsh: cd: The operation is not allowed in a restricted shell.
$

Any idea?

Thanks.

DASM
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО05-11-2010 10:13 AM

тАО05-11-2010 10:13 AM

Re: To restrict the PATH on UNIX.

Shalom DASM,

1) You can restrict path all you like, the user however can change it back.

2) Your restricted shell is working correctly in your last post. The point is to prevent cd up to root.

3) You have a third option called chroot ssh. Secure Shell (openssh) for HP-UX comes with a script to create a chroot ssh environment, but the response to your cd commands in your last post will be identical.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-12-2010 12:10 AM

тАО05-12-2010 12:10 AM

Re: To restrict the PATH on UNIX.

>Is there a way to can change only in my path?

rsh allows you to create aliases or functions that can invoke an unrestricted cd.

What you need to do is put enough checking there. Or always insert $HOME in front.
0 Kudos
Reply
Aneesh Mohan
Honored Contributor

тАО05-12-2010 12:15 AM

тАО05-12-2010 12:15 AM

Re: To restrict the PATH on UNIX.

Hi,

>>The are more directorys and I need the user doesn├В┬┤t join another directory.

You can create a jail and limit a particular user direcoties using chroot in /etc/passwd of the user.

or

Use
/opt/ssh/ssh_chroot_setup.sh


Aneesh
0 Kudos
Reply
Suraj K Sankari
Honored Contributor

тАО05-12-2010 12:42 AM

тАО05-12-2010 12:42 AM

Re: To restrict the PATH on UNIX.

hi,
you need to implement chroot...

http://tldp.org/HOWTO/Chroot-BIND-HOWTO.html

Suraj
0 Kudos
Reply
Dami├бn Sarmiento
Advisor

тАО05-12-2010 07:24 AM

тАО05-12-2010 07:24 AM

Re: To restrict the PATH on UNIX.

Hi Steven, Dennis, Aneesh and Suraj.
Thanks for your responses.

Dennis, please could you tell me how can I insert $HOME in front?
That procedure is in the .profile file?

I understand the chroot is an operation that changes the apparent disk root directory for the current running process and its children, but what do I need to change in /etc/passwd of the user?

I followed the instructions according http://tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html but it was not successful.

Can anybody help me, please?

Thanks

DASM
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО05-13-2010 01:29 AM

тАО05-13-2010 01:29 AM

Re: To restrict the PATH on UNIX.

>please could you tell me how can I insert $HOME in front? That procedure is in the .profile file?

It turns out it is less than ideal. You can't use aliasing nor functions. Nor can you use the name "cd".

If you set up a bin directory that doesn't allow write access to it or the files under it, you can create a script there called mycd:
#!/usr/bin/sh
cd $HOME/$1
exec /usr/bin/rsh

Then you can just use "mycd directory-path".

Unfortunately you will fork a new rsh each time you use this script:
yuk_rsh 10169 10166 -rsh
yuk_rsh 10185 10169 /usr/bin/rsh
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.