HPE Community
Operating System - HP-UX
1836309 Members
2936 Online
110099 Solutions
New Discussion

user with a rsh shell

 
Meirone Luca
Occasional Advisor

‎06-04-2002 11:35 PM

‎06-04-2002 11:35 PM

user with a rsh shell

Hi all,
if I change shell (using command ksh) i lose all!
How can I deny possibilities to change shell?

Luca
Meirone Luca
0 Kudos
Reply
4 REPLIES 4
Peter Kloetgen
Esteemed Contributor

‎06-04-2002 11:43 PM

‎06-04-2002 11:43 PM

Re: user with a rsh shell

Hi Luca,

the command to change shell is chsh, which is allowed for every user normally. You simply change the permissions for this command:

chmod 550 /usr/bin/chsh

Then you have to change permissions for all shells which users should not be able to start, for example:

chmod 550 /usr/bin/csh

Also you could do the following trick:

Put the following two lines into the .profile files of your users:

/usr/bin/ksh (if you want them to use ksh)
exit 1

These lines as two last lines of .profile file.

Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-04-2002 11:48 PM

‎06-04-2002 11:48 PM

Re: user with a rsh shell

Hi,

rsh provides minimal security because you can launch any of the higher-privileged shells from rsh itself.

# rsh
rsh> sh

If you want to restrict a specific user, one way is to set ACL on the shell binaries (use either setacl (JFS) or chacl (HFS).

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Thierry Poels_1
Honored Contributor

‎06-05-2002 12:10 AM

‎06-05-2002 12:10 AM

Re: user with a rsh shell

Hi,

the following is disable by using a restricted shell:
- Changing directory (cd)
- Setting the value of SHELL, ENV, or PATH
- Specifying path or command names containing /
- Redirecting output (>, >|, <>, and >>)


A rather important setting is the user's PATH variable which has to be limited too!! If the user is able to start another shell (ksh, sh, csh, ...) all restrictions are gone again!
When using the restricted shell it is preferred to have a special directory which contains all executables this users need and limit their PATH variable to this directory (and other required application directories).

regards,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Frank Slootweg
Honored Contributor

‎06-05-2002 01:16 AM

‎06-05-2002 01:16 AM

Re: user with a rsh shell

If I understand it correctly, you are asking how to make the 'restricted' shell rsh(1) *really* restricted, because if you give a user a /usr/bin/rsh, (s)he can very easily 'escape' from that shell, for example with chsh(1).

If so, then I am afraid that there is no 'cookbook' on how to *properly* setup rsh(1). The only documentation I know of is this part of the login(1) manual page:

> If the command name field is *, a chroot() to the directory named in
> the directory field of the entry is performed. At that point login is
> re-executed at the new level which must have its own root structure,
> including /bin/login and /etc/passwd.

See the ftpd(1M) manual page for some (more or less) general, i.e. *not*
rsh(1)-specific, information on how to set up "the new level which must
have its own root structure, including /bin/login and /etc/passwd.".

See also the very old (1995) Usenet discussion http://groups.google.com/groups?selm=3tuasi$1608@venere.inet.it (press "View: Complete Thread").


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.