HPE Community
Operating System - HP-UX
1829576 Members
3080 Online
109992 Solutions
New Discussion

Re: user administration

 
SOLVED
Go to solution
Roberto Gallis
Regular Advisor

‎02-06-2001 12:46 AM

‎02-06-2001 12:46 AM

user administration

Hi all,
I have to define users that can only work in their home directory. They cannot change directory (e.g. giving "cd /" or "cd ..")
What's the best way to do that? (using a special shell?)

Thank's all

Roberto
0 Kudos
Reply
15 REPLIES 15
Sandor Horvath_2
Valued Contributor

‎02-06-2001 01:11 AM

‎02-06-2001 01:11 AM

Re: user administration

Hi !

Try chroot command, but first see man chroot !

You need copy some files under new /

regars, Saa
If no problem, don't fixed it.
0 Kudos
Reply
Alex Glennie
Honored Contributor

‎02-06-2001 01:36 AM

‎02-06-2001 01:36 AM

Solution

Re: user administration

How can I restrict a user to limited functions on the
system?

Here are two possibilites:

1. If the user's shell is rksh, he is restricted to executing only
from the specified PATH, and is not allowed to change PATH. You
can create a subdirectory for PATH containing only the allowed
programs. Also, his working directory is limited to his home
directory, and he is not allowed to change directory with cd.

See man 1M rksh.

2. You can write a custom script or program and run it from
profile., limiting the user to whatever you like.
Reply
Gerard Leclercq
Trusted Contributor

‎02-07-2001 12:48 AM

‎02-07-2001 12:48 AM

Re: user administration

Hello,

Just a note on rksh.
It is not 100% safe if your application can change directory and run a shell.

Try this :

- Log a user with the shell rksh
- run vi
- :cd /tmp (change directory)
- :sh (open a shell)
- It is as if you have a normal shell in that directory.

Bye
Gerard
Reply
Gerard Leclercq
Trusted Contributor

‎02-08-2001 01:00 AM

‎02-08-2001 01:00 AM

Re: user administration

Hello again,

I am just thinking another possibility : ACL (Access Control List)
This is an extension of unix file permissions.
ACL permits you to put any permissions for any user on any file.

You just have to disallow permission to access directory to the
users to be restricted.

The problem is not to forget to disallow permission to new data
disks you add to your system (Physically or by NFS)

Bye
Gerard
Reply
melvyn burnard
Honored Contributor

‎02-08-2001 01:07 AM

‎02-08-2001 01:07 AM

Re: user administration

Unfortunately ACL's are not supported on JFS file systems, unless you upgrade to JFS 3.3 (available via the http://www.software.hp.com site)
Other than that, only HFS file systems will support ACL.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-08-2001 02:34 AM

‎02-08-2001 02:34 AM

Re: user administration

Hi,

You can also try replacing the existing shell in /etc/passwd eg. replace /usr/bin/ksh with /usr/bin/newksh.

==
/usr/bin/newksh
#!/sbin/sh
trap "" 1 2 3
if ! echo $* |grep -e "cd .." -e "cd / " >/dev/null 2>/dev/null
then
/usr/bin/ksh $*
trap 1 2 3
==

Note that you will need to extend the script to take care of wildcard characters.

Hope this helps.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-08-2001 02:36 AM

‎02-08-2001 02:36 AM

Re: user administration

Hi,

/usr/bin/newksh is the script name, not part of the script. Typo.

/usr/bin/newksh:
==
#!/sbin/sh
trap "" 1 2 3
if ! echo $* |grep -e "cd .." -e "cd / " >/dev/null 2>/dev/null
then
/usr/bin/ksh $*
trap 1 2 3
==

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com


Reply
Roberto Gallis
Regular Advisor

‎02-08-2001 03:44 AM

‎02-08-2001 03:44 AM

Re: user administration

haihaihaihai!!!!

sintax error at line 4
in the script...
maybe the word "then"...

??
0 Kudos
Reply
Roberto Gallis
Regular Advisor

‎02-08-2001 03:45 AM

‎02-08-2001 03:45 AM

Re: user administration

ok

adding fi is working...

regards
Roberto
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-08-2001 05:35 AM

‎02-08-2001 05:35 AM

Re: user administration

Hi,

Forgot about the looping part. In order to emulate a shell interpreter more correctly, a loop is needed. Note however that limitations exist with the emulated shell.

Have not tested this script out. Some refinement will definitely be needed.

==
#!/sbin/sh
trap "" 1 2 3
echo -e "`pwd`> \c"
read command
while [ "$command" != "exit" ]
do
if ! echo $command |grep -e 'cd ..' -e 'cd / ' >/dev/null 2>/dev/null
then
/usr/bin/ksh $command
fi
echo -e "`pwd`> \c"
read command
done
trap 1 2 3
==

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Roberto Gallis
Regular Advisor

‎02-08-2001 06:07 AM

‎02-08-2001 06:07 AM

Re: user administration

Hey guys...
the new shell does not work correctly...
maybe is more useful rksh..

Regards

Roberto
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-08-2001 06:21 PM

‎02-08-2001 06:21 PM

Re: user administration

Hi,

Finally got some time to test out my script and refine it properly. This is a working and tested script. Both the script and test results are inserted below.

A) The script /usr/bin/newksh itself:
===========================================
#!/sbin/sh
trap "" 1 2 3
echo "`pwd` > \c"
read command
while [ "$command" != "exit" ]
do
if echo $command|grep ';' >/dev/null 2>/dev/null
then
echo You are not allowed to run compound statements.
elif [ "`echo $command|cut -d\ -f1`" != "cd" ]
then
case $command in
sh|csh|ksh|./sh|./csh|./ksh|/sbin/sh|/bin/sh|/bin/csh|/bin/ksh|/usr/bin/sh|usr/bin/csh|/usr/bin/ksh) echo You are not allowed to run a new shell in restricted mode.;;
*) ksh -c "$command";;
esac
else
dir=`echo $command|cut -d\ -f2`
case $dir in
'..'|'/') echo You are not allowed to cd to $dir.;;
'cd') cd $HOME;;
*) cd $dir;;
esac
fi
echo "`pwd` > \c"
read command
done
trap 1 2 3
===========================================

B) Following is how you should vipw your /etc/passwd:
==========================================
# grep abc /etc/passwd
abc:*:102:20::/home/abc:/usr/bin/newksh
===========================================

C) Test results using the abc account:
===========================================
# su - abc
/home/abc > pwd
/home/abc
/home/abc > ls
a b
/home/abc >
/home/abc > cd b
/home/abc/b > ls -la
total 0
drwxr-xr-x 2 abc users 96 Feb 9 09:58 .
drwxr-xr-x 3 abc sys 96 Feb 9 09:59 ..
/home/abc/b > touch c
/home/abc/b > ls -la
total 0
drwxr-xr-x 2 abc users 96 Feb 9 10:13 .
drwxr-xr-x 3 abc sys 96 Feb 9 09:59 ..
-rw-r--r-- 1 abc users 0 Feb 9 10:13 c
/home/abc/b > rm c
/home/abc/b > ls -la
total 0
drwxr-xr-x 2 abc users 96 Feb 9 10:13 .
drwxr-xr-x 3 abc sys 96 Feb 9 09:59 ..
/home/abc/b > cd /
You are not allowed to cd to /.
/home/abc/b > cd ..
You are not allowed to cd to ...
/home/abc/b > /usr/bin/ksh
You are not allowed to run a new shell in restricted mode.
/home/abc/b > ls; /usr/bin/ksh
You are not allowed to run compound statements.
/home/abc/b > cd /usr/bin
/usr/bin > ksh
You are not allowed to run a new shell in restricted mode.
/usr/bin > ./ksh
You are not allowed to run a new shell in restricted mode.
/usr/bin > exit
logout
===========================================

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
Glen Liu
Advisor

‎02-09-2001 11:16 AM

‎02-09-2001 11:16 AM

Re: user administration

If I generate a file named "echo" in /home/abc with below content...

/usr/bin/sh

and make it excutable...

Guess what??

0 Kudos
Reply
Dan Hetzel
Honored Contributor

‎02-10-2001 02:42 AM

‎02-10-2001 02:42 AM

Re: user administration

Hi Gang,

I don't understand the need of re-inventing the wheel as the "restricted shells" are the tools you're looking for (rsh, rksh).

You can further restrict your users ability to start applications with a pre-defined PATH that they won't be allowed to change.
Depending on what kind of applications those users should run, you could create a restricted bin directory with a copy of all those 'safe' applications.

Cheers,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-10-2001 09:47 AM

‎02-10-2001 09:47 AM

Re: user administration

Hi,

Yeap, a script with a shell interpreter embedded as one of its commands will allow the restrictions to be bypassed. Thanks for pointing this out. The emulated shell is not perfect yet. A further control can be inserted to check for the existence of the shell interpreter in any script before executing it in an emulated shell.

I agree with Dan that we should stick with rsh and rksh if we do not want the user to access any files beyond his own home directory. A "cd /" will be blocked by rsh or rksh.

However, both rksh or rsh do not disallow the execution of "cd .." from a subdirectory in a user's home directory. I was taking the original query apart whereby the user has to be blocked from running "cd ..".

To block "cd ..", I wrote this script, out of pure fun. I believe I am trying to re-invent a big part of the wheel in order to take care of the small part ie. "cd ..". But it was nevertheless interesting to try emulating a shell via a script and identify the controls necessary and the loopholes to consider. :)

Thanks. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.