Limiting a user to a script upon login, nothing else.

Linux and Unix-Like Emergency UNIX and Linux Support
1

Hi there,

I have a Debian 5.0 server that my company uses for deployment testing. This server needs to be accessed by NOC people that have no NIX knowledge whatsoever.

I am creating a bash script for a menu-based command interface for the commands they need to run on their testing routines, but I wanted to know how can I force a user, upon login, to access this script (when he logins, this script is run) and nothing else (when he is finished, i.e., choose "X" for exit), the system log out the user.

Need help from the wise man :slight_smile:

2

You can create a log in hook, that when that specific user logs in, say via ssh a script runs. Then you can post an interactive script that runs with that log in hook...

example:

#!/bin/bash

selection=
until [ "$selection" = "0" ]; do
    echo ""
    echo "Select an option please"
    echo "1 - Do something"
    echo "2 - Display something"
    echo "3 - third option"
    echo "4 - Print something"
    echo "5 - List some stuff"
    echo "6 - Display system information"
    echo "0 - exit and log out"
    echo " "
    echo -n "Enter selection: "
    read selection
    echo ""
    case $selection in
    1)  some command ;;
    2)  some command ;;
    3)  some command ;;
    4)  some command ;;
    5)  some command ;;
    6)  some command ;;
    0)  exit and log out ;;
*) echo "Please select a valid option"

done

That is just a quick and dirty example, and you would of course have to input the text and the related commands. I have used a similar script in the past to automate imaging PCs with Zen imaging from Novell. You can probably have init.d run this but I am a bit rusty on that.

3

Yep, I mean, I have my script done on bash for the commands, but what I need help is how I hook it to the user login, and make sure that when the script exits, the user gets logged out...

4

All of my *nix work in the past 5 years has been on the Apple platform so I am really loving launchd for this exact sort of thing, however, /etc/init.d should be able to do lots of similar things. So you would want to put your script in /etc/init.d/myscript but I am not quite sure how to make it user specific. In debain do they have any init.d run level stuff in a user's home folder?

The only other thing I can think of, is edit that user's bash profile (.profile, .bashrc, or whatever it is in Debian) to execute that script as part of the bash start up (or whatever shell you are using) that way when they ssh into the server it will auto execute at their user level.

5

Replace the shell in /etc/passwd with the name of the script.
Make sure that the script contains all the required path statements etc.

6

Depending on the system you may also need to add it to /etc/shells in order to allow it. But otherwise, this should work well for most UNIX systems -- the original script gets run directly, with no intermediate commands the user can interrupt, redirect, fold, spindle, or mutilate.

Note that it becomes your script's responsibility to set up its environment properly since there's no longer a login shell to do that for it -- it is the login shell :wink:

For further restriction yet your script could use a feature-restricted shell like /bin/rbash, which greatly reduces the shenanigans possible even if the user somehow manages to inject arbitrary input into your script. Or just make the user's login /bin/rbash and call your script from their bashrc files.

7

Okay, I'll try some of this tomorrow but it sounds like what I am looking for. I have already on my script the exit commands to logout, but should the user break the script I still want him to be logged out or to return to the script, meaning I do not want him getting to the shell prompt by no means.

8

If you set your script as their login shell, there's no time during which they can hit ctrl-c and crash the program down to a prompt since it was never run from a prompt in the first place. All they'd do is log themselves out. To get access to arbitrary commands they must run a new shell instance, exploit weaknesses in your input programming, modify your script, or modify their RC files.

9

And how can I set it to their login shell?? I mean, I can script but I understand little of the *NIX (Debian, for this matter) structure...

Appreciate you help!

10

here you go

Changing your login shell

Basically, set the shell to ~/myscript instead of /bin/bash or whatever shell you are using, or to the full path where the script lives.

I think the command to change the shell for a user is chsh

11

/etc/passwd is a text file that lists users and their login shells, among other things, one user per line.

12

thank you all, it did work great!!!

13

If you don't want to allow the user to get the prompt shell, you can put at the very beggining of the script the code listed below.

trap "exit"  2 3 17 9

When the user choose the "EXIT" option in your script, the shell will be closed and the user will be logged out.

I think the best option is the one that JGT USER gave you.

14

Sorry to be a bore, but never trap signal 9. Also avoid issuing "kill -9" unless you are absolutely desparate to shut a system down.

In a unix shell script this is sufficient to stop the user being left at a shell prompt:

trap 'exit' 1 2 3 15

To confine the user to a shell script the following line in their profile is what you need.

exec scriptnaname

With the proviso that the script contains the correct trap statement.

15

Hi,
Can someone tell me how to check how many times a unix server was stopped or started.

Thanks,

16

SCO systems have a file /usr/adm/messages, that contains information for every time the system has been booted, as long as it hasn't been truncated.

Are you asking in general terms, or do you have a specific OS in mind?

17

@reachdharem
Please start a new thread in a relevant forum. This thread is titled "Limiting a user to a script upon login, nothing else".

18

@methyl,

Sure. I will do that. I am new here. Trying to adjust. :slight_smile:

19

If you're worried about security then you'll need to be careful about what commands you use in your menu option.

If you're doing commands like:

echo "2 - Display something"

...
echo "5 - List some stuff"
echo "6 - Display system information"

You may be thinking to pipe multi-page output to less or more so the user can page through it.

A place I once worked had menu scripts that ran as root and paged files with less, which I found rather convenient when I needed a root shell on that box in an emergency... all I needed to do was go into the menu and choose the file viewer and type !<Enter> and I had a root shell!

If you read the less man page you will find:

When the environment variable LESSSECURE is set to 1, less runs in a "secure" mode. This means these features are disabled:
! the shell command
| the pipe command
:e the examine command.
v the editing command
s -o log files
-k use of lesskey files
-t use of tags files
metacharacters in filenames, such as *
filename completion (TAB, ^L)

That'll be something you'll want to export as a variable in the top of your script if you're going to use less.

When you try to lock something down your own way, using tools that weren't designed specifically for embedding in secure menus, you need to be smart enough to be able to second-guess everyone who will get access to the system, and shut off any loop-holes they could abuse before they find them.

20 
 
grep restart /var/adm/syslog