HPE Community
Operating System - HP-UX
1851256 Members
2682 Online
104057 Solutions
New Discussion

Re: user capabilities (restricting commands)

 
Stephen Badgett
Regular Advisor

‎02-17-2004 05:34 AM

‎02-17-2004 05:34 AM

user capabilities (restricting commands)

I need to create a user that has a lot of restrictions. I want this user to not be able to do commands like "ls".

umask in the dot profile does seem to set the capabilities for this user to have have write permissions on files this user creates and I used SAM to create this user with the rsh as there shell but I do not the talent to go further.

help,
Steve
Not as is, is now
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎02-17-2004 05:38 AM

‎02-17-2004 05:38 AM

Re: user capabilities (restricting commands)

ls is a pretty basic command but:

put the user in a special group.

whence ls

gives you the lcoation of ls

chmod o-x ls

No users outside the root group will not be able to use ls.

For a finer level of control you;ll need ACL

OR:

rsh shell

That user will only get the commands you give and can not cd up the directory tree. They are in a chroot jail

create a chroot user. Less restrictive shell but same basic concept, can't get out of choot jail, can only get commmands you give.

I'd copy the commands into /home/username/bin for example.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎02-17-2004 05:47 AM

‎02-17-2004 05:47 AM

Re: user capabilities (restricting commands)

Hi Steve,

You an use '/usr/bin/rsh' the restricted shell that can be customized to allow the user to do |not to do what you want.

Configure the user with the shell /usr/bin/rsh. Create a profile for this user with only the following statement.

PATH=/usr/restrict/bin

Change the ownership of the .profile to root:root with 400 permissions.

Now copy only the executables that you want the user to run in /usr/restrict/bin. For ex., if you want the user to run only ftp then 'cp /usr/bin/ftp /usr/restrict/bin/ftp'. With this configuration the user can only run ftp on the system.

Rest is upto your choice.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Stephen Badgett
Regular Advisor

‎02-17-2004 06:39 AM

‎02-17-2004 06:39 AM

Re: user capabilities (restricting commands)

thank you for your reply Sri

I gave the user 'usr/bin/rsh' and created the .profile with the PATH=/usr/restrict/bin and copied what I want this user to exec into a /usr/restrict/bin and login as that user fine. But, this users is still able to do commands like ls. I echo'd the PATH from the command line and the PATH was long like a regular user. I though by create a .profile with a PATH statement would replace the PATH with the new one.

Not as is, is now
0 Kudos
Reply
Stephen Badgett
Regular Advisor

‎02-17-2004 07:04 AM

‎02-17-2004 07:04 AM

Re: user capabilities (restricting commands)

Steven

I am also looking at you reply too.

Steve
Not as is, is now
0 Kudos
Reply
Stephen Badgett
Regular Advisor

‎02-17-2004 09:12 AM

‎02-17-2004 09:12 AM

Re: user capabilities (restricting commands)

I started over again and it seem that I got the PATH statement to show just the new PATH.

Thanks for you help
Steve
Not as is, is now
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎02-17-2004 07:35 PM

‎02-17-2004 07:35 PM

Re: user capabilities (restricting commands)

You could install and configure sudo, then put the user in its own group, and give it the fewest possible privileges (as outlined above).

Now you could setup very specific jobs in sudo, perhaps via a shell-script menu. Its not foolproof but will greatly restrict what this user can do, whilst providing an audit trail.
0 Kudos
Reply
Karthik S S
Honored Contributor

‎02-17-2004 07:42 PM

‎02-17-2004 07:42 PM

Re: user capabilities (restricting commands)

sudo can give you finer level of control for what you need.

www.courtesan.com/sudo

-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
Stephen Badgett
Regular Advisor

‎02-18-2004 03:44 AM

‎02-18-2004 03:44 AM

Re: user capabilities (restricting commands)

thank you Andrew and Karthik,

Thank you both, I will also look into what sudo is and can do.

Steve
Not as is, is now
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.