restricting Access

[unixkid]

Do anyone know of a way to restrict access. Rsh (restricted shell wont work) I need the user to only be able isolated to a dir but they need access to "cd" command to navigate in the ioslated dir. I dont want them to go anywhere else on the server...I jus downloaded sudo but haven't used it before.

 

[d3funct]

You could edit their .profile, make their $PATH only their home directory and the restricted directory, chown it for root:bin. Copy "cat", "ls", and any other commands they may need that doesn't allow them to leave their directory into their home directory. Then in .profile alias "cd" like this "alias cd=/dev/null" so they can't use the cd command,
alias /usr/bin, /usr/sbin, /bin, /sbin, / to /dev/null also. Then make a new alias for cd like "alias Cd='cd /restricted/dir/'. Make sure to lock down .profile, .login, .cshrc,.bashrc (whatever they can create aliases or modify for unseemly purposes in their homedir) chown them for root:bin and chmod them 700. That should work. Test it before using it on a real person though. d3funct
zimmer.jon@cfwy.com
The software required `Windows 95 or better', so I installed Linux.

 

[unixkid]

So your say change the users home dir in /etc/passwd to /opt/apps and then lock down the .profile there?

Do you mean to physcially copy "cat, vi, cd, mv, cp" command to thier new home dir?

 

[d3funct]

Yes, physically copy cat, vi, mv, cp, but not cd. With cd just make an alias for it in .profile, the real cd should read alias cd='/dev/null' and the cd command in the home directory should be aliased alias rcd(or whatever you name it)='/usr/bin/cd /restriced/directory/'. That should work. d3funct
zimmer.jon@cfwy.com
The software required `Windows 95 or better', so I installed Linux.

 

[unixkid]

This is my new .profile (but there is something worong)
PATH=/u02/app/EMSEUWEB/TradeSphere72/web/gp/html
export PATH
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias cp='/dev/null'
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias cd='/dev/null'
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias ls='/dev/null'
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias CD='/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/cd'
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias VI='/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/vi'


Problems...when the users logs in they get:

/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias[7]: basename: not found
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias[8]: cp=/dev/null: not found
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias[7]: basename: not found
/u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias[8]: cd=/dev/null: not found

 

[MikeLacey]

Have another look at your script /u02/app/EMSEUWEB/TradeSphere72/web/gp/html/alias as the problems seem to be there. Mike
michael.j.lacey@ntlworld.com
Email welcome if you're in a hurry or something -- but post in tek-tips as well please, and I will post my reply here as well.

 

[unixkid]

I guess im not seeing where the problem is...

 

[mbr]

Hi,

i would suggest using a "chroot"-ed environment instead, sea

man chroot

or search on

http://www.google.de

on that topic.

ciao,
mbr