HPE Community
Operating System - HP-UX
1819814 Members
2678 Online
109607 Solutions
New Discussion юеВ

Re: User only can read syslog.log file

 
SOLVED
Go to solution
Edgar Brito
Advisor

тАО12-04-2008 03:23 PM

тАО12-04-2008 03:23 PM

User only can read syslog.log file

I need that a user only can read syslog.log file. User must not read or write any other file only syslog.log
0 Kudos
Reply
6 REPLIES 6
Mark McDonald_2
Trusted Contributor

тАО12-04-2008 03:34 PM

тАО12-04-2008 03:34 PM

Re: User only can read syslog.log file

Edgar

Have a read around RBAC and Access Control Lists.

Mark
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-04-2008 05:24 PM

тАО12-04-2008 05:24 PM

Re: User only can read syslog.log file

The user will be able to read zillions of files with the READ OTHER permission, if he has a shell. If you don't want him to read those, you'll have use a special menu that only displays syslog.log.
0 Kudos
Reply
George Spencer_4
Frequent Advisor

тАО12-04-2008 07:49 PM

тАО12-04-2008 07:49 PM

Solution

Re: User only can read syslog.log file

Modify the user's .profile so that, when he logs on, he can view /var/adm/syslog/syslog.log (or whatever you use) and after this place an exit.

The use can use the login to view the syslog, but the minute he finishes viewing, he is logged out. As log as the syslog does not give users write permission, then they cannot modify. Make sure that the user login you do this for has no permissions to do anything, as a user can escape from a view to a command prompt. You could block this.
Reply
Kenan Erdey
Honored Contributor

тАО12-04-2008 11:28 PM

тАО12-04-2008 11:28 PM

Re: User only can read syslog.log file

Hi,

if you want create a role which monitors logs, you can use tools like log readers or you consolide logs to logserver. so user can monitor in more human readable way.

if you want the user login and just read log create a travia shell like /usr/bin/read_log that contains with executable bit set,

vi /var/adm/syslog/syslog.log

create /etc/shells file that contains:

/sbin/sh
/usr/bin/sh
/usr/bin/rsh
/usr/bin/ksh
/usr/bin/rksh
/usr/bin/csh
/usr/bin/keysh
/usr/bin/read_log

change user shell in /etc/passwd file from /sbin/sh to /usr/bin/read_log

hope it helps.

Kenan.

Computers have lots of memory but no imagination
Reply
Edgar Brito
Advisor

тАО12-05-2008 10:40 AM

тАО12-05-2008 10:40 AM

Re: User only can read syslog.log file

Hello Spencer.
At the end of users's .profile I added vi /var/adm/syslog/syslog.log
exit

It works fine, user can read the file and when he gets the end of file the user is logged out. However if user do a CTRL - C user can go to promt and can go wherever he wants inside the system. How can I avoid user do this?

Thanks.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО12-05-2008 07:56 PM

тАО12-05-2008 07:56 PM

Re: User only can read syslog.log file

>However if user do a CTRL - C user can go to promt and can go wherever he wants inside the system. How can I avoid user do this?

If you do what Kenan said, that can't happen. You can't type control-C or control-Z.

I suppose you could trap SIGINT.
Or you can simply disable control-C and control-Z:
stty intr ^- susp ^-
(Those are carets.)

Note: You may want to use view vs vi. And either will let the user edit another file and using :shell, he can get a shell.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.