Help with user setup

[Guest_imported]

Hi
How can I setup a user who will not be able to delete or modify any files or folders.

Thank you in advance.

 

[Yegolev]

I think you should not let that guy on your machine. There is something called a restricted shell but I don't have the info on it at hand. I'll look around and come back if I find something. IBM Certified -- AIX 4.3 Obfuscation

 

[Guest_imported]

Hi

I am trying to setup a user to just be able to restart print Qs, I do not want them to be able to move or delete any files. I assiged the user to printq group only but I dont know how to restrict this user to not be able to delete any files.

Thanks

 

[Yegolev]

I found it. Replace the user's shell with "ksh -r" to run a restricted shell. The restrictions are as follows:

`cd` command does not work
Redirection (>,>>,>|,<>) does not work
Cannot change value of $SHELL, $ENV or $PATH
Cannot specify filenames with / in them, essentially keeping the user in the current directory

The user's .profile would then dictate her environment and it would be up to you to put the appropriate commands in the home dir, and make sure she cannot edit it. You might want to code up a menu with command options so exiting it will leave the shell. IBM Certified -- AIX 4.3 Obfuscation

 

[aixqueen]

my two cents...why not put a job in cron to scan if the printqs are down or up
and then restart them if they are down?

Easier than trying to let a person not delete files....there is restricted shell which only lets you run commands in their directory and stay in their directory...

But as I said a script in cron to every 15 minutes enable down print ques is usually easier?
Got this from somewhere....sorry for no kudos for the author.... No guarantee...
TEST, TEST, TEST,

#!/bin/ksh
#
#
THISHOST=`uname -n`
lpstat|grep DOWN|awk '{print $1}' >> /tmp/lpstatdown.log
if test -s /tmp/lpstatdown.log
then
for i in `cat /tmp/lpstatdown.log`
do
enable $i
done
echo &quot;The date/time is `date` &quot; >> /tmp/lpstatdown.log
echo &quot;\nThese queues were DOWN and have been enabled.&quot; >>
/tmp/lpstatdown.log
mail -s &quot;$THISHOST Printer Status&quot; root@localhost < /tmp/lpstatdown.log
sleep 5
rm -f /tmp/lpstatdown.log
fi

 

[Chapter11]

We implemented a menu system with Lynx for that sort of stuff here. Between Lynx and sudo, several of our operators can do various root tasks (pre-scripted of course) without having access to *anything* else. I had to custom compile it since the Bull version doesn't have any local execution facilities, but I implemented it as a login shell, so closing it logs them out, and using the &quot;drop to shell&quot; keystroke just gives them another Lynx screen.

 

[Yegolev]

I'm all for aixqueen's method, and if something serious happens, go find someone with root. I prefer to keep operators off the machine completely, since physical security is the most effective. But when you can't do that, Chapter11 is right on.

One more bit I read about, you can make a user which, when entered at the login screen, runs a single command and exits. Not useful in this situation but perhaps someone else could use it. IBM Certified -- AIX 4.3 Obfuscation

 

[mrn]

Just add a user called menu.

create a simple menu

vi menu.sh

#Start

while true
do

clear
echo &quot;\n\n\n\t\t Menu&quot;
echo &quot;\n 1) Start Queue&quot;
echo &quot;\n99) Exit&quot;
echo &quot;Make Selection ..\b\b\c&quot;;read ans

case $ans in

1) ./start_que.sh ;;
99) exit ;;
*) clear
echo &quot;\n\n\nOpps......&quot;
sleep 5 ;;
esac
done

#End

now edit the .profile and include the following lines

./menu.sh
exit

You may need to chmod 700 the menu.sh

Now when the user logs in, they will be presented with the menu, as soon as they enter 99, the session will be killed.

You can also enter traps to stop people using Ctrl-C, Etc..

Regards

--
| Mike Nixon
| Unix Admin
|

http://www.instantflashshop.com

----------------------------