Restriction to User

gelbvonn · May 18, 2004, 12:53am

Dear all,
I am trying to create a new user account that can have the minimum access to the HP-Ux box, as in it only need to perform system info query like bdf and only able to read access system log files but not able to delete any file from any other directory beside it's own user directory "/users/misgrp/misopr"
I have created it thru SAM to get the following into /etc/passwd
Any expert here can advise me on any other restriction that I can add in inorder to retrict this user further. As I tried deleted a file with this user account, it's able to despite that the file is read-only mode.

"misopr:,..:2502:202:MIS operations,,,:/users/misgrp/misopr:/usr/bin/sh"

kduffin · May 18, 2004, 10:17pm

You could change the user's shell to a restricted ksh (rksh). Read the man page. It allows you to limit the user's PATH and what commands (or scripts) the user is allowed to execute.

You can also use extended ACL(s) to control file access, but not allow the user to own the files. Look at the man pages for setfacl.

Cheers,

Keith

zazzybob · May 21, 2004, 4:38pm

Depending on the level of security required (and your coding capability), you could write a menu driven shell script, or even a small C program, with only a small subset of functions defined (display log, show bdf output, etc, etc) and restrict the users abilities that way. Then, set the users shell to point to this file in /etc/passwd (first, add it into /etc/shells) e.g.

mruser:x:100:100:Mr User:/home/dir:/path/to/program

You must be careful that no backdoor exists with such a method, however (i,e, make sure that crashing the script with ^C doesn't drop the user into a shell, etc).

Just an idea,
Peace,
ZB

kduffin · May 21, 2004, 4:48pm

I like zazzybob's menu idea. I'd probably steer clear of scripts and use a curses/C program; easier to close off functionality you don't want to allow. It doesn't have to be too complex, just a wrapper.

Cheers,

Keith

zazzybob · May 21, 2004, 5:09pm

I found this
http://www.linux-magazine.com/Magazine/Downloads/40/Shell/
it is for a basic menu-driven shell for various multimedia purposes, but could *very* easily be adapted for other uses.

As Keith indicates, Curses could be used to improve the UI.

cheers
ZB

encrypted · September 10, 2004, 3:39pm

Hi All

I was reading this post and in particular jazzybob's comments about modifying the /etc/passwd in which the shell specified is replaced by the path of the program to be executed.
But I fail to find the /etc/shells file.

I have tried the steps mentioned by jazzybob but when the new user logs in it says "no shell"
I am trying to restrict a user to a only a shell script which he/she can execute.

Any Ideas on where am I going wrong??
I am on a Solaris Box.

Cheers!!