Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Do not allow bypassing users .profile
Operating Systems AIX Do not allow bypassing users .profile Post 302938635 by omonoiatis9 on Wednesday 18th of March 2015 05:59:19 AM
Old 03-18-2015
@Don Cragun: Unfortunately I cannot use rlogin because our security department said that rlogin contains security vulnerabilities which can be exploited so we had to disable the service from our servers. Anyway reading your last post I still think that this will not prevent users from doing what they tried to do before. Even if I remove putty from their PCs and give them a different tool to connect on server, nothing stops them from download putty and use it. and if they do that it doesn't matter what kind of shell they are using. Even if I set their initial shell to /bin/myscript as long as they have putty they can still execute remote ssh command and run bash with --noprofile option.

@XrAy: Thank you for your reply. well I'm actually testing all the suggestions that people posted here. this is what I said that I will do and this is what I'm doing right now. I didn't focus in just one thing. I'm trying to see what is the best solution to implement or even a combination of things. this is what I found until now:
  1. Obviously when I create a custom base version of bash solves the problem of remote execution of --noprofile command. but as you said I have to be alert that every time I need to upgrade bash I need to have in mind that I will still exclude the --noprofile option.
  2. ForceCommand is doing a great job on sshd_config. I find out that when I use this option it solves all the issues that I faced.
    1. The user cannot execute the bash --noprofile option even with the original version of bash
    2. The user cannot do sftp and ssh to server and get command line
    3. The user cannot use scp to send or receive files from server.
  3. I couldn't make /etc/profile modification work.
I test it for one user but it doesn't seem to work. The user can still execute the remote command he wants through putty and can connect through sftp and use scp also.
Last edited by rbatte1; 03-18-2015 at 07:44 AM.. Reason: Broke up a single block of text, added LIST=1 & LIST=a tags, spelling, capital letters, apostrophes, bold for command names and ICODE tags for options etc.
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

users with same .profile

guys i have a unix user (say "x") which is also an application owner ..thru this user i manage most (90 %) of my tasks related to application i.e application down/up,processes stop/start etc..in short i manage my "tuxedo" via this user.. now i want a new user to be created (on my name) which... (7 Replies)
Discussion started by: abhijeetkul
7 Replies

2. AIX

"ksh -" as login shell bypassing .profile

Hi all, I am currently trying to tell /bin/ksh to behave like a login shell. I am invoking it from an interactive shell. In the documentation is stated, that calling it with exec ksh - it should behave like a login shell, work 1st on /etc/profile, ~/.profile and so on. I tried that with... (0 Replies)
Discussion started by: zaxxon
0 Replies

3. UNIX for Advanced & Expert Users

How can I get sudo -u <username> to load that users profile on HP-UX

I am running a serverapplication on a HP-UX machine where I need to handle some of the commands as a specified user called "druser". When I log on as this user with the command; sudo -u druser -sit starts an instance of the shell as that user. However, it doesn't load that users .profile from... (1 Reply)
Discussion started by: ukiome
1 Replies

4. AIX

SSH and a users .profile

How do I get a command like "ssh Theuser@host date" to execute the /home/Theuser/.profile before executing the "date" command? (5 Replies)
Discussion started by: IL-Malti
5 Replies

5. Shell Programming and Scripting

sourcing .profile for other users

Hi Team, Thank you for your time. i have a situation where the user IDs of the applicatio users have been locked down to Read only. Hence I am writing a script to invoke their old .profile every time they login. My problem is : when i run . $userpath/.profile from within the ksh script... (9 Replies)
Discussion started by: anitha111
9 Replies

6. UNIX for Advanced & Expert Users

Bypassing blocking of websites...

So my workplace uses websense to block certain websites. I read while researching firesheep, that you can somehow bypass that by creating a proxy, and thus: #1 protect yourself from people using firesheep (if using unsecure hot-spot) and #2 or visit un-approved websites at work. I... (1 Reply)
Discussion started by: zixzix01
1 Replies

7. Shell Programming and Scripting

Users who desire to have their .profile executed must explicitly do so in the crontab entry. Why?

The .profile file should be read when the user logs in. So, there should be no need to execute .profile file again in a cron job (since the cron job is run after the user logs in). Doesn't the cron require login from the user. Then, from where does the cron execute? Please help!! (1 Reply)
Discussion started by: thulasidharan2k
1 Replies

8. IP Networking

Bypassing My Company Firewall!

Hi! My organization has put a Firewall which eat up a lot of important data access. So I came to know about SSH Tunneling to bypass the Firewall. I will have to setup a free access SSH server to tunnel data access through PUTTY or OpenSSH. The problem is that I don't know about any free... (1 Reply)
Discussion started by: nixhead
1 Replies

9. Solaris

Remove a given profile from a users account

Hi Guys, I was studying RBAC and I gave a profile to a user . I have not seen anywhere that shows how to remove the profile from the users account. Can anyone show me how to remove a given profile from a users account? Thanks alot guys. (2 Replies)
Discussion started by: cjashu
2 Replies

10. HP-UX

Create a new user from using existing users profile

Hello, Just wanting to know if it is possible. Also I am new to command line. I am running 5.1b, if that matters. Thanks in advance (10 Replies)
Discussion started by: bcha
10 Replies

LEARN ABOUT LINUX

rbash

RBASH(1)						      General Commands Manual							  RBASH(1)

NAME

       rbash - restricted bash, see bash(1)

RESTRICTED SHELL

       If  bash  is  started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted.  A restricted shell is
       used to set up an environment more controlled than the standard shell.  It behaves identically to bash with the exception that the  follow-
       ing are disallowed or not performed:

       o      changing directories with cd

       o      setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV

       o      specifying command names containing /

       o      specifying a file name containing a / as an argument to the .  builtin command

       o      specifying a filename containing a slash as an argument to the -p option to the hash builtin command

       o      importing function definitions from the shell environment at startup

       o      parsing the value of SHELLOPTS from the shell environment at startup

       o      redirecting output using the >, >|, <>, >&, &>, and >> redirection operators

       o      using the exec builtin command to replace the shell with another command

       o      adding or deleting builtin commands with the -f and -d options to the enable builtin command

       o      using the enable builtin command to enable disabled shell builtins

       o      specifying the -p option to the command builtin command

       o      turning off restricted mode with set +r or set +o restricted.

       These restrictions are enforced after any startup files are read.

       When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script.

SEE ALSO

       bash(1)

GNU Bash-4.0							    2004 Apr 20 							  RBASH(1)
All times are GMT -4. The time now is 11:49 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy