Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting certain commands. 1

Status
Not open for further replies.
jxfish2

jxfish2

Technical User
Jan 24, 2002
183
US
Is there a way to restrict a specific user from executing certain specific commands?

Rksh doesn't seem to be the answer, as these users do need to change directories, and they will need to run most unix commands un-restricted...

I just don't want these users to be able to execute a few very specific commands...

TIA

Jxfish2
 
Sort by date Sort by votes
Write fake command with the same name in a directory, say /u/mycmd, and modify these user's profile with something like this:
Code: 
PATH=/u/mycmd:$PATH
Or, if in ksh, play with the
Code: 
alias
builtin.
You may also consider
Code: 
sudo
.

Hope This Help, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
 
Upvote 0 Downvote
But, what's to stop the user from changing their PATH statement from the command line?

All of my users are pretty computer savvy professionals...

I need something more bullet-proof...

Something that they can't modify from the command line...

Something like a restricted shell, or something like an ACL change, restricted specifically by UserID, and not UID...

I have some super-users that are effectively root, yet have their own "su -" accounts...

They login to these "su -" accounts via sudo... There is no direct login to these accounts...

I want to restrict them from issuing certain commands, without hindering their ability to do the real work they need to do...

Jxfish2
 
Upvote 0 Downvote
So you want to restrict rights of super-users ?
 
Upvote 0 Downvote
Yes...

I don't want users with a LoginID other than root to use the "su" command...

All users will access the servers via their plain userID, then using 'sudo', they can "su" to their super-user account...

Once there, I do not want them to be able to further "su" to any other accounts, nor do I want them to be able to telnet or rlogin to any of the other servers in our environment...

And, I don't want them to be able to modify / "vi" certain files, especially those files which set the rules to begin with...

So, what I need, is the ability to specifically deny certain commands or actions...

The list of what they need to do is too great to try specifically enabling those commands...

Is there a way to do this?

For example:

The command "whoami" returns their actual LoginID, while the command "id" returns their effective LoginID...

I need a way to restrict commands, by the actual LoginID, and not the effective LoginID...
 
Upvote 0 Downvote
Thanks, I just took a quick look at the link...

I'll research it a little more tomorrow...

Have a great day...

Jxfish2
 
Upvote 0 Downvote
Normally:

1. Make the restricted commands executable only by root, then make users use sudo to run the commands.

2. Make the restricted commands executable only by members of a certain group, and keep restricted users out of that group.


But what's the point if they can become superuser? The superuser can, by definition on most systems, do anything.


If you set up a jail, they can only deal with what's in the jail, not the rest of your system.
 
Upvote 0 Downvote
I need to find out more about "jail"...

I want to explicitly deny access to certain commands...

 
Upvote 0 Downvote
I want to explicitly deny access to certain commands
Backup them on a floppy and then remove them from the system.
Sorry for the bad joke :)

Hope This Help, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
 
Upvote 0 Downvote
You can use ACLs to restrict access to commands if your Unix supports them.

Jean Pierre.
 
Upvote 0 Downvote
Jean-Pierre, how you restrict access to Super-Users ?
 
Upvote 0 Downvote
No way if a Super-User is a root user ...
If Super-User can restrict access to another Super-User, a Super-User can remove those restrictions.



Jean Pierre.
 
Upvote 0 Downvote
A super-user cannot be restricted. Any restriction that you try to impose on a super-user account can be undone.

You need to re-think what you want to achive. What you need to do is identify the commands for which these users require super-user privilege. Then you should be able to grant them access to just these commands with super-user privilege (by using the set-uid facility). However, you will need to be very carefull when doing this: Care should be taken that only the selected users can execute these privilege commands, and that the commands do not allow the users to obtain unrestricted super-user access (for example you would not use this method on a shell or any command that spawns a shell, like vi).
 
Upvote 0 Downvote
IBM produce a product call AMOS, access manager for operating systems, you can use this to restrict access to files, executables, directories etc...
There is a similar product that runs under Solaris called pitbull I believe and ...
There is a LINUX project known as LIDs that is also in the same area...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DJR999
  • Locked
  • Question
Evaluation syntax in Unix commands 1
Replies
3
Views
153
2rArne
2rArne
WMaples
  • Locked
  • Question
How to run scoadmin commands automatically
Replies
7
Views
218
WMaples
WMaples
tekpr00
  • Locked
  • Question
crontab not executing commands
Replies
3
Views
130
tekpr00
tekpr00
dksyte
  • Locked
  • Helpful tip
CRON/crontab commands - preview results 2
Replies
0
Views
68
dksyte
dksyte
tviman
  • Locked
  • Question
repeating commands from the command line
Replies
1
Views
36
KenCunningham
KenCunningham

Part and Inventory Search

Sponsor

Back
Top