Go Back   The UNIX and Linux Forums > Top Forums > UNIX for Dummies Questions & Answers
google site



UNIX for Dummies Questions & Answers If you're not sure where to post a UNIX or Linux question, post it here. All UNIX and Linux newbies welcome !!

Closed Thread
English Japanese Spanish French German Portuguese Italian Powered by Powered by Google
 
Thread Tools Search this Thread Display Modes
  #1  
Old 06-06-2006
Registered User
 

Join Date: Jun 2006
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Creating subusers & assigning limited rights

Hi all,

I need to create 2 users sde1 & sde2 with limited authority(only for read). I know the root password.Pls tell me step by step procedure how to create these subusers to root.

the commands which these subusers can run are :

1)#df -k
2)#ps -ef|grep syb
3)#ps -ef|grep omc
4)ps -eofname,pcpu,comm|sort -k 2n

-Sandy
Sponsored Links
  #2  
Old 06-06-2006
grial's Avatar
grial grial is offline Forum Advisor  
El UNIX es como un toro
 

Join Date: Jun 2006
Location: Madrid (Spain)
Posts: 531
Thanks: 0
Thanked 1 Time in 1 Post
I think what you want is a procedure to configure a chroot jail for those users, don't you?... That's not a trivial procedure. There a re lots of docs on that, just go to google
  #3  
Old 06-06-2006
Registered User
 

Join Date: Aug 2005
Location: Saskatchewan
Posts: 3,095
Thanks: 6
Thanked 51 Times in 51 Posts
Quote:
Originally Posted by xs2sandeep
Hi all,

I need to create 2 users sde1 & sde2 with limited authority(only for read).
for read, on what? In what system?
Quote:
I know the root password.Pls tell me step by step procedure how to create these subusers to root.
subuser? What's a subuser, a non-root user?
Quote:
the commands which these subusers can run are :

1)#df -k
2)#ps -ef|grep syb
3)#ps -ef|grep omc
4)ps -eofname,pcpu,comm|sort -k 2n

-Sandy
That's...pretty limited. UNIX doesn't support this sort of thing directly as in a "let user x access only these programs" list, though it's possible to create that environment.

If you have bash, you can put their login shell into restricted mode, which would prevent them from doing...nearly anything. A chroot jail would be a more ironclad solution, but the bash one is very simple...

The way I went about this was:
  • Create a directory, /opt/lubin, which contains symlinks to ONLY the commands you want. It should look like this:

    Code:
    mecgentoo ~ # ls -lh /opt/lubin
    total 0
    lrwxrwxrwx 1 root root 7 Jun  6 08:47 df -> /bin/df
    lrwxrwxrwx 1 root root 9 Jun  6 08:47 grep -> /bin/grep
    lrwxrwxrwx 1 root root 7 Jun  6 08:47 ps -> /bin/ps
    lrwxrwxrwx 1 root root 9 Jun  6 08:47 sort -> /bin/sort

  • Alter the profile for the limited user, so they login with bash in restricted mode, and can only execute things in /opt/lubin. /home/limiteduser/.bash_profile should look like this:
    Code:
    PATH=/opt/lubin
    exec /bin/bash --noprofile -r

  • Make sure they can't modify their profile:
    Code:
    mecgentoo ~ # chmod 444 /home/limiteduser/.bash_profile /home/limiteduser/.bashrc /home/limiteduser/.bash_logout
    mecgentoo ~ # chown root:root /home/limiteduser/.bash_profile /home/limiteduser/.bashrc /home/limiteduser/.bash_logout
    mecgentoo ~ # ls -l /home/limiteduser/.bash_profile
    -r--r--r-- 1 root root 242 Jun  6 08:47 /home/limiteduser/.bash_profile
    mecgentoo ~ # chown root:root /home/limiteduser
    mecgentoo ~ # chmod 555 /home/limiteduser
    mecgentoo ~ # ls -ld /home/limiteduser
    dr-xr-xr-x 2 root root 4096 Jun  6 08:47 /home/limiteduser/.bashrc
    mecgentoo ~ #

  • Make sure there's nothing in /home/limiteduser/.bashrc that you don't want executed
  • Now, when they login, they can only execute those programs in /opt/lubin:
    Code:
    mecgentoo ~ # su - limiteduser
    limiteduser@mecgentoo ~ $ ls
    bash: ls: command not found
    limiteduser@mecgentoo ~ $ df -k
    Filesystem           1K-blocks      Used Available Use% Mounted on
    /dev/hda2             19236340   7741408  10517780  43% /
    udev                    257720       416    257304   1% /dev
    /dev/hda4            272267008 101397300 170869708  38% /opt
    /usr/share/images/squid-cache.ext2
                           2064208     16700   2047508   1% /var/cache/squid
    shm                     257720         0    257720   0% /dev/shm
    limiteduser@mecgentoo ~ $ ps -ef|grep syb
    1007     10474 10463  0 08:53 pts/0    00:00:00 grep syb
    limiteduser@mecgentoo ~ $ ps -eofname,pcpu,comm|sort -k 2n
    COMMAND  %CPU COMMAND
    acpid     0.0 acpid
    agetty    0.0 agetty
    agetty    0.0 agetty
    ...
    limiteduser@mecgentoo ~ $ exit
    exit
    mecgentoo ~ #

    edit -- do NOT include bash in /opt/lubin, that's a security hole!

    Last edited by Corona688; 06-06-2006 at 11:21 AM.. Reason: continuing improvements
      #4  
    Old 06-06-2006
    grial's Avatar
    grial grial is offline Forum Advisor  
    El UNIX es como un toro
     

    Join Date: Jun 2006
    Location: Madrid (Spain)
    Posts: 531
    Thanks: 0
    Thanked 1 Time in 1 Post
    Well, a restricted shell is a much easyer solution... It just depends on the limits you want for those users...
    On a restricted shell you sould be careful with the PATH variable and the user's profile files.
    Regards.
      #5  
    Old 06-06-2006
    Registered User
     

    Join Date: Aug 2005
    Location: Saskatchewan
    Posts: 3,095
    Thanks: 6
    Thanked 51 Times in 51 Posts
    Quote:
    Originally Posted by grial
    Well, a restricted shell is a much easyer solution... It just depends on the limits you want for those users...
    On a restricted shell you sould be careful with the PATH variable and the user's profile files.
    Regards.
    Absolutely. With a session that limited they don't even need a writable home directory!
    Sponsored Links
    Closed Thread

    Bookmarks

    Thread Tools Search this Thread
    Search this Thread:

    Advanced Search
    Display Modes

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts

    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Trackbacks are On
    Pingbacks are On
    Refbacks are Off


    More UNIX and Linux Forum Topics You Might Find Helpful
    Thread Thread Starter Forum Replies Last Post
    user with limited privileges Juha Solaris 1 03-17-2008 02:02 AM
    FTP rights Burhan Solaris 2 03-15-2007 06:22 AM
    Unix access rights rudo UNIX for Dummies Questions & Answers 1 02-26-2007 05:40 PM
    User rights sharmavr HP-UX 1 07-25-2006 03:16 AM
    Groups Rights niasdad UNIX Desktop for Dummies Questions & Answers 3 07-16-2002 09:01 AM



    All times are GMT -4. The time now is 07:46 AM.