Very Computer

I think rsh has these features.

Jon Mitchell          \ [Fun-Boy] Sleep is for weaklings!

CCSO Site Consultant  \ These views have _nothing_ to do with CCSO.

Hi
Does anyone know how could I restrict certain user to go out of his home
directory and how to restrict him of executing some commands. This user
is normal user with normal group but I would like to restrict some of
actions he can do.
Thanx
--
Primoz Jeroncic

FOV::UFOPRA155A                 (DECNET)
http://rip1.fovref.uni-mb.si/~ogabe
http://rip1.fovref.uni-mb.si/mad_graphics

Quote:>>Does anyone know how could I restrict certain user to go out of his home
>>directory and how to restrict him of executing some commands. This user
>>is normal user with normal group but I would like to restrict some of
>>actions he can do.
>>Thanx

>I think rsh has these features.

1. We give them /usr/lib/rsh as loginshell (in the passwd-file).
2. In their home-dir we create a dir called rbin, to put the
binaries in they are allowed to execute (binaries without
the possibillity to escape to a shell!).
3. In their home-dir we create a .profile that sets a path
to their /rbin, and cd to that directory.

Try it, and let me know . . . .

Bye

________________________________________________
 ICNS Informatie & Communicatie Netwerk Services
 Postbus 85, 4100 AB  Culemborg

________________________________________________

: >>Does anyone know how could I restrict certain user to go out of his home
: >>directory and how to restrict him of executing some commands. This user
: >>is normal user with normal group but I would like to restrict some of
: >>actions he can do.
: >>Thanx
: >
: >I think rsh has these features.

: 1. We give them /usr/lib/rsh as loginshell (in the passwd-file).
: 2. In their home-dir we create a dir called rbin, to put the
: binaries in they are allowed to execute (binaries without
: the possibillity to escape to a shell!).
: 3. In their home-dir we create a .profile that sets a path
: to their /rbin, and cd to that directory.

It is at all possible to execute a command that redirects output?  We have
some commands that we would like to place into the 'rbin' directory, but to
function they require redirection.  rsh prohibits this (for good reason),
but is there any way to work around this?

: Try it, and let me know . . . .

: Bye

: ________________________________________________
:  ICNS Informatie & Communicatie Netwerk Services
:  Postbus 85, 4100 AB  Culemborg

: ________________________________________________

-----BEGIN PGP SIGNED MESSAGE-----

: Hi
: Does anyone know how could I restrict certain user to go out of his home
: directory and how to restrict him of executing some commands. This user
: is normal user with normal group but I would like to restrict some of
: actions he can do.

Bash and Bourne shell, I think, can restrict access.  I know bash will act
as restricted shell when invoked with the "-r" option.  Be very careful when
implementing restricted shells, however.  User's should not be able to
execute any programs that allow for a shell escape.  There is no such thing
as an absolutely secure restricted shell.  There will almost always be a way
for a user to break out of it.

- --Mark

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

http://www.veryComputer.com/~markm/ | bd24d08e3cbb53472054fa56002258d5
"The concept of normalcy is just a * of the majority" -me

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQCVAwUBMU9kFLZc+sv5siulAQFSDAQAkzr6HjgDuB++O2opH5FVuEpldIk7hHHl
gNDVCFgn2233tCOvxkBYlaTR2TdckVEkTANLlyKNUzUx3hKEfu4QOr8cLYEMXpcn
ARk+qvneZmrpfUwZpD7JNvUJBWDvFsWtHGXKsIk//dWso44fYMq3Myn/Okhm0KbF
JaTOgD5VEJE=
=IfKG
-----END PGP SIGNATURE-----

Hi

   We have the same scenario here.. I created a restricted shell using
   rsh which works great.. the restricted shell user must only have
   access to two programs.. the first is Mail to read the mail files
   and the second is ls to see the files...

   Two things occur with this scenario

   1) If you run "ls /etc/hosts" it will do this.. eve though
      /var/mail is the restricted directory...

      succeeds.. this second one could probably be overcome with a
      restricted Mail program..if such a one exists. for reading only
      and not sending...

Cheers
Andrew

--
________________________________________________________________________

                                      [Sys Admin - Wits Medical Library]

  WWW : http://www.pipex-sa.net/~andrew          TEL : +2711 609 - 3697
       SMAIL : P.O.Box 8029, Edenglen, 1613, Gauteng, South Africa

_______________________________________________________________________

The solution to both of these would to be to operate in a chroot()ed
environment, so the user cant access the /etc directory (or any other
directory outside of the 'jail'.

------------------------------------------------------------------------

PGP Public Key                  http://www.saturn.net/~brian/pubkey
------------------------------------------------------------------------

Hi,

Quote:>>>Does anyone know how could I restrict certain user to go out of his home
>>>directory and how to restrict him of executing some commands.
>>I think rsh has these features.

Where can I find rsh in its sources? I'm running x86 Solaris 2.4.

Greetings,
Vitali

rsh comes with Solaris 2.4.  

man -s 1m rsh

also checkout /usr/lib/rsh.

Sorry, can't give you the sources.

--
Edsel Adap

Opinions expressed are my own and do not represent Sun Microsystems.