help trusted shell /etc/tsh_profile

[alexia32]

Hello

I have a probably a stupid question but hey I don;t have the answer so...
How do you configure trusted shell???

I am trying to create new users that will only be able to run specific command such as ls, pwd, cp etc...
That's it

So I have created the user with shell=shell=/usr/bin/tsh

but then I don;t really understand how to configure the file /etc/tsh_profile.
I am assuming it is on this file that we need to put the commands the user need to run

I tried but it is not really working I get this message
/etc/tsh_profile[37]: /usr/bin/pwd: 0403-047 Command must be trusted to run in the trusted shell.
/etc/tsh_profile[38]: /usr/bin/termdef: 0403-047 Command must be trusted to run in the trusted shell.
/etc/tsh_profile[43]: /usr/bin/more: 0403-047 Command must be trusted to run in the trusted shell.
/etc/tsh_profile[44]: /usr/bin/ls: 0403-047 Command must be trusted to run in the trusted shell.
/etc/tsh_profile[45]: /usr/bin/ps: 0403-047 Command must be trusted to run in the trusted shell.
/etc/tsh_profile[46]: /usr/bin/du: 0403-047 Command must be trusted to run in the trusted shell.
/etc/tsh_profile[47]: /usr/bin/grep: 0403-047 Command must be trusted to run in the trusted shell.


So if you can help me please

Cheers
Al.

So if someone can help me

 

[khalidaaa]

No question is a stupid question! We are here to learn from each other Al.

I've never configured tsh but I know that in tsh you have to write/create your own scripts for the users!

Can you show the content of /etc/tsh_profile?

Regards,
Khalid

 

[alexia32]

Hi

thanks
Well here is the standard file not yet modified

cat /etc/tsh_profile
# @(#)51 1.7.1.5 src/bos/etc/tsh_profile/tsh_profile, cmdksh, bos530 8/9/94 12:04:51
# IBM_PROLOG_BEGIN_TAG
# This is an automatically generated prolog.
#
# bos530 src/bos/etc/tsh_profile/tsh_profile 1.7.1.5
#
# Licensed Materials - Property of IBM
#
# (C) COPYRIGHT International Business Machines Corp. 1989,1994
# All Rights Reserved
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# IBM_PROLOG_END_TAG
#
# COMPONENT_NAME: (CMDKSH) Korn Shell
#
# ORIGINS: 27
#
# (C) COPYRIGHT International Business Machines Corp. 1989, 1994
# All Rights Reserved
# Licensed Materials - Property of IBM
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
###########################################################################
#
# Add any commands to be executed by all trusted shells after this line.
# Do not include commands which will alter environmental variables which
# the user may have modified already.
###########################################################################

# All commands after this line will be executed only by trusted login
# shells.
if [ X"$0" = "X-tsh" ]; then
trap "" 1 2 3


# Trusted shell profile. All variables set here may be overridden by
# a user's personal .profile file in their $HOME directory. However,
# all commands here will be executed at login regardless.

readonly LOGNAME
export LOGNAME

# Set default umask
umask 022

# Automatic logout, include in export line if uncommented
# TIMEOUT=120

MAIL=/usr/spool/mail/$LOGNAME
MAILMSG="[YOU HAVE NEW MAIL]"

# if termdef command returns terminal type (i.e. a non NULL value),
# set TERM to the returned value, else set TERM to default hft.
TERM_DEFAULT=hft
TERM=`termdef`
TERM=${TERM:-$TERM_DEFAULT}

if [ "$YESSTR" = "" ]; then
YESSTR=y:yes:YES:Y; export YESSTR
fi
if [ "$NOSTR" = "" ]; then
NOSTR=n:no:NO:N; export NOSTR
fi

# If LC_MESSAGES is set to "C@lft" and TERM is not set to "lft",
# unset LC_MESSAGES.
if [ "$LC_MESSAGES" = "C@lft" -a "$TERM" != "lft" ]
then
unset LC_MESSAGES
fi

PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin

export PATH MAIL MAILMSG TERM

# Restore signal handling
trap 1 2 3
# End of login shell only processing
fi

 

[alexia32]

Hi

I found out how it works!!!!!!!!!!!!!!!!!!!!!!

Ok so I have to enable all commands authorised for the user by TCB attribute

So I have write a script that make those commands trusted with the command "chtcb on" run as root

and then it works, I logged as one of the user and here we go

tsh> ls
tsh> ps
PID TTY TIME CMD
217174 pts/0 0:00 ps
221370 pts/0 0:00 -ksh
421892 pts/0 0:00 -tsh
tsh>


Nothing to change on /etc/tsh_profile !

Thanks again

Cheers
Al