Creating subusers & assigning limited rights - UNIX for Dummies Questions & Answers

xs2sandeep · #1 06-06-2006

Hi all,

I need to create 2 users sde1 & sde2 with limited authority(only for read). I know the root password.Pls tell me step by step procedure how to create these subusers to root.

the commands which these subusers can run are :

1)#df -k
2)#ps -ef|grep syb
3)#ps -ef|grep omc
4)ps -eofname,pcpu,comm|sort -k 2n

-Sandy

grial · #2 06-06-2006

I think what you want is a procedure to configure a chroot jail for those users, don't you?... That's not a trivial procedure. There a re lots of docs on that, just go to google

Corona688 · #3 06-06-2006

Quote:

Originally Posted by xs2sandeep

Hi all,

I need to create 2 users sde1 & sde2 with limited authority(only for read).

for read, on what? In what system?

Quote:

I know the root password.Pls tell me step by step procedure how to create these subusers to root.

subuser? What's a subuser, a non-root user?

Quote:

the commands which these subusers can run are :

1)#df -k
2)#ps -ef|grep syb
3)#ps -ef|grep omc
4)ps -eofname,pcpu,comm|sort -k 2n

-Sandy

That's...pretty limited. UNIX doesn't support this sort of thing directly as in a "let user x access only these programs" list, though it's possible to create that environment.

If you have bash, you can put their login shell into restricted mode, which would prevent them from doing...nearly anything. A chroot jail would be a more ironclad solution, but the bash one is very simple...

The way I went about this was:

Create a directory, /opt/lubin, which contains symlinks to ONLY the commands you want. It should look like this:

Code:

mecgentoo ~ # ls -lh /opt/lubin
total 0
lrwxrwxrwx 1 root root 7 Jun  6 08:47 df -> /bin/df
lrwxrwxrwx 1 root root 9 Jun  6 08:47 grep -> /bin/grep
lrwxrwxrwx 1 root root 7 Jun  6 08:47 ps -> /bin/ps
lrwxrwxrwx 1 root root 9 Jun  6 08:47 sort -> /bin/sort

Alter the profile for the limited user, so they login with bash in restricted mode, and can only execute things in /opt/lubin. /home/limiteduser/.bash_profile should look like this:
Code:
```
PATH=/opt/lubin
exec /bin/bash --noprofile -r
```

Make sure they can't modify their profile:

Code:

mecgentoo ~ # chmod 444 /home/limiteduser/.bash_profile /home/limiteduser/.bashrc /home/limiteduser/.bash_logout
mecgentoo ~ # chown root:root /home/limiteduser/.bash_profile /home/limiteduser/.bashrc /home/limiteduser/.bash_logout
mecgentoo ~ # ls -l /home/limiteduser/.bash_profile
-r--r--r-- 1 root root 242 Jun  6 08:47 /home/limiteduser/.bash_profile
mecgentoo ~ # chown root:root /home/limiteduser
mecgentoo ~ # chmod 555 /home/limiteduser
mecgentoo ~ # ls -ld /home/limiteduser
dr-xr-xr-x 2 root root 4096 Jun  6 08:47 /home/limiteduser/.bashrc
mecgentoo ~ #

Make sure there's nothing in /home/limiteduser/.bashrc that you don't want executed

Now, when they login, they can only execute those programs in /opt/lubin:

Code:

mecgentoo ~ # su - limiteduser
limiteduser@mecgentoo ~ $ ls
bash: ls: command not found
limiteduser@mecgentoo ~ $ df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/hda2             19236340   7741408  10517780  43% /
udev                    257720       416    257304   1% /dev
/dev/hda4            272267008 101397300 170869708  38% /opt
/usr/share/images/squid-cache.ext2
                       2064208     16700   2047508   1% /var/cache/squid
shm                     257720         0    257720   0% /dev/shm
limiteduser@mecgentoo ~ $ ps -ef|grep syb
1007     10474 10463  0 08:53 pts/0    00:00:00 grep syb
limiteduser@mecgentoo ~ $ ps -eofname,pcpu,comm|sort -k 2n
COMMAND  %CPU COMMAND
acpid     0.0 acpid
agetty    0.0 agetty
agetty    0.0 agetty
...
limiteduser@mecgentoo ~ $ exit
exit
mecgentoo ~ #

edit -- do NOT include bash in /opt/lubin, that's a security hole!

grial · #4 06-06-2006

Well, a restricted shell is a much easyer solution... It just depends on the limits you want for those users...
On a restricted shell you sould be careful with the PATH variable and the user's profile files.
Regards.

Corona688 · #5 06-06-2006

Quote:

Originally Posted by grial

Well, a restricted shell is a much easyer solution... It just depends on the limits you want for those users...
On a restricted shell you sould be careful with the PATH variable and the user's profile files.
Regards.

Absolutely. With a session that limited they don't even need a writable home directory!

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
user with limited privileges	Juha	SUN Solaris	1	03-17-2008 12:02 AM
FTP rights	Burhan	SUN Solaris	2	03-15-2007 04:22 AM
Unix access rights	rudo	UNIX for Dummies Questions & Answers	1	02-26-2007 03:40 PM
User rights	sharmavr	HP-UX	1	07-25-2006 12:16 AM
Groups Rights	niasdad	UNIX Desktop for Dummies Questions & Answers	3	07-16-2002 06:01 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode