Freeze user in one directory Post: 302431518

Sponsored Content

Operating Systems AIX Freeze user in one directory Post 302431518 by bakunin on Tuesday 22nd of June 2010 05:00:26 AM

06-22-2010

Registered User

Quote:

Originally Posted by Mr.AIX

for exsample I want to denied that user to access /usr , /root , /var .... etc

This is not quite possible: if you deny a user access to the "/usr" tree he will not be able to execute any commands stored there - which, in case of the "/usr" hierarchy - includes all the commands a Unix system has. The user would, for instance, not even be allowed to change his password, because the "passwd" command lives in "/usr/bin/passwd".

Of course there is "chroot", as has been mentioned, but this means basically replicating the (relevant part of the whole) system into a single directory, creating a copy of the /usr tree, etc.. You still will need to give the user access to at least these copies, otherwise you have the same situation as before. Further, the user has to log into the system to do some (meaningful) work: it might be possible that the restrictions you put onto the account at the same time prevent the account from doing anything meaningful at all.

You might explore the "restricted shell" ("ksh -r") to achieve your desired functionality, but even this is IMHO a desperate measure.

As long as you get your authentication model and your privilege model right you don't need to fall back to these solutions of last resort, though - not in most of the cases, that is. It doesn't hurt if a user can see something, as long as he isn't able to change it - which is, why there are "r" bits and "w" bits to set on a directory and file level.

So, as long as you don't explain which situation calls for such outrageous security mechanisms the best advice i can give you is: don't do it. Use normal file/directory restrictions instead, not even considering ACLs.

I hope this helps.

bakunin

bakunin

View Public Profile for bakunin

Find all posts by bakunin

8 More Discussions You Might Find Interesting

1. Linux

How to trace the module after system freeze?

Hi, I wrote a kernel module that did a virtual network protocol and library that provide interface for application use to interact with the kernel module by ioctl actions. insmod the module and unload the module, there will be no problem. But once I call the library with my example...

2. Solaris

Restricting SFTP user to a defined directory and home directory

Hi, I've created solaris user which has both FTP and SFTP Access. Using the "ftpaccess" configuration file options "guest-root" and "restricted-uid", i can restrict the user to a specific directory. But I'm unable to restrict the user when the user is logged in using SFTP. The aim is to...

3. SCO

Help on System Freeze in SCO

Hi, My SCO server freezes suddenly. I just want to know if there any tools / commands availble that can find which is causing the freeze? Any help on this would be greatly appreciated. Regards, Ravikumar R

4. SCO

SCO 6.0 Freeze

Hi Gurus I have installed SCO 6.0 open server on Dell R710 server. It has frozen three times afte installtion. and I had to cold reboot to bring the server back again. I need to know where to look for the reason it froze. The keyboard on the server the asterisk key is pressed, even...

5. Linux

grub2 startup freeze

I got a dual boot with grub2, but everytime I turn on the computer and the booter is loaded, I can't handle the menu, so I am forced to wait the countdown and choose the default option. I'd really like to know why! This is my grub.cfg, # # DO NOT EDIT THIS FILE # # It is automatically...

6. Solaris

Solaris 11 install freeze

Hi, I tried to boot the Solaris 11 install DVD the other day and I can't get past the "SunOS" text banner on the clear/newscreen. It just hangs with a solid block cursor. I have a new computer and that might be the problem, but what I want is more verbosity maybe, some kind of detailed...

7. Cybersecurity

Freeze system

hello is there any freeze software for Linux-redhat system to prevent any changes on /root (wish open topic on right forum)

8. Solaris

SunOS confusing root directory and user home directory

Hello, I've just started using a Solaris machine with SunOS 5.10. After the machine is turned on, I open a Console window and at the prompt, if I execute a pwd command, it tells me I'm at my home directory (someone configured "myuser" as default user after init). ...

LEARN ABOUT SUNOS

d_passwd

d_passwd(4)							   File Formats 						       d_passwd(4)

NAME

       d_passwd - dial-up password file

SYNOPSIS

       /etc/d_passwd

DESCRIPTION

       A  dial-up  password is an additional password required of users who access the computer through a modem or dial-up port. The correct pass-
       word must be entered before the user is granted access to the computer.

       d_passwd is an ASCII file which contains a list of executable programs (typically shells) that require a dial-up password and  the  associ-
       ated encrypted passwords. When a user attempts to log in on any of the ports listed in the dialups file (see dialups(4)), the login program
       looks at the user's login entry stored in the passwd file (see passwd(4)), and compares the login shell field to the entries  in  d_passwd.
       These entries determine whether the user will be required to supply a dial-up password.

       Each entry in d_passwd is a single line of the form:

       login-shell:password:

       where

       login-shell     The name of the login program that will require an additional dial-up password.

       password        An  encrypted  password. Users accessing the computer through a dial-up port or modem using login-shell will be required to
		       enter this password before gaining access to the computer.

       d_passwd should be owned by the root user and the root group. The file should have read and write permissions for the owner (root) only.

       If the user's login program in the passwd file is not found in d_passwd or if the login shell field in passwd is empty, the user must  sup-
       ply  the  default  password.  The default password is the entry for /usr/bin/sh. If d_passwd has no entry for /usr/bin/sh, then those users
       whose login shell field in passwd is empty or does not match any entry in d_passwd will not be prompted for a dial-up password.

       Dial-up logins are disabled if d_passwd has only the following entry:

       /usr/bin/sh:*:

EXAMPLES

       Example 1: Sample d_passwd file.

       Here is a sample d_passwd file:

       /usr/lib/uucp/uucico:q.mJzTnu8icF0:
       /usr/bin/csh:6k/7KCFRPNVXg:
       /usr/bin/ksh:9df/FDf.4jkRt:
       /usr/bin/sh:41FuGVzGcDJlw:

   Generating An Encrypted Password
       The passwd (see passwd(1)) utility can be used to generate the encrypted password for each login program. passwd generates encrypted  pass-
       words  for  users  and places the password in the shadow (see shadow(4)) file. Passwords for the d_passwd file will need to be generated by
       first adding a temporary user id using useradd (see useradd(1M)), and then using passwd(1) to generate the desired password in  the  shadow
       file. Once the encrypted version of the password has been created, it can be copied to the d_passwd file.

       For example:

       1.
	   Type useradd tempuser and press Return. This creates a user named tempuser.

       2.  Type passwd tempuser and press Return. This creates an encrypted password for tempuser and places it in the shadow file.

       3.  Find the entry for tempuser in the shadow file and copy the encrypted password to the desired entry in the d_passwd file.

       4.  Type userdel tempuser and press Return to delete tempuser.

       These steps must be executed as the root user.

FILES

       /etc/d_passwd	       dial-up password file

       /etc/dialups	       list of dial-up ports requiring dial-up passwords

       /etc/passwd	       password file

       /etc/shadow	       shadow password file

SEE ALSO

       passwd(1), useradd(1M), dialups(4), passwd(4), shadow(4)

WARNINGS

       When  creating  a  new  dial-up password, be sure to remain logged in on at least one terminal while testing the new password. This ensures
       that there is an available terminal from which you can correct any mistakes that were made when the new password was added.

SunOS 5.10							    2 Sep 2004							       d_passwd(4)