Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Locking down access vi winscp
Operating Systems AIX Locking down access vi winscp Post 302958762 by -=XrAy=- on Monday 26th of October 2015 08:06:27 AM
Old 10-26-2015
Quote:
Originally Posted by juredd1
Is anyone aware of a way to lock a user down into their home directory when using tools like winscp? We use chroot type security on our linux "FTP". But not sure how putting chroot type security on this AIX server might affect normal enduser logins to the application that resides on this server as when they come in like they should the application is the one accessing the other sensitive areas and is not allowing the user to access areas that don't belong to them.

Thanks for your time.
Justin
Here is a small example how to setup a restricted shell:

1. Make sure rksh is in the list of valid shells.
Code:
grep rksh /etc/security/login.cfg

2. Change users shell to rksh.
Code:
chsh <user> /usr/bin/rksh

3. Prepare your environment (create for every allowed command a symbolic link)
Code:
mkdir /usr/bin/restricted
ln -s /usr/bin/ls /usr/bin/restricted/ls
ln -s /usr/bin/cat /usr/bin/restricted/cat
...

4. Replace the PATH-variable in users .profile file and fit the environment settings for your applications.
Code:
export PATH=/usr/bin/restricted

5. Adjust the permissions
Code:
chown bin:bin /home/<user> /home/<user>/.profile
chmod -w /home/<user> /home/<user>/.profile

6. Test it.
Code:
$ cd /
rksh: cd: 0403-019 The operation is not allowed in a restricted shell.

Works well with winscp.

Regards
 

6 More Discussions You Might Find Interesting

1. Linux

WINSCP for Linux?

Is there something that will work on Linux with the same functionality like Winscp? (5 Replies)
Discussion started by: soupbone38
5 Replies

2. AIX

File access issue through sftp/winscp

Hi, I have SSH where I want to restrict browsing for a user "drrep" to the assigned home directory only.So I have put a entry in the sshd_config file as “AllowFiles "drrep:/fcrarch/fl02r/*" as shown in the scrren below. But due to this setting none of the users are able to login through winscp... (0 Replies)
Discussion started by: dwiravi
0 Replies

3. AIX

winscp between AIX and windows

Hello Admins, I am trying to copy some files/packages from my windows host to AIX server. I am a normal user not root. I am getting an error as below: cannot initialize sftp protocol..... I have enabled the ftp service. Could you help me out.. (7 Replies)
Discussion started by: snchaudhari2
7 Replies

4. AIX

WINSCP Log in AIX 6.1

Hello Team, In my environment , Application team using winscp to create/modify/delete the files in the AIX server from their windows boxes. I have enabled the user history, su logs and lastlog, but the users whoever using winscp its not getting tracked. How to enable the WINSCP logs in AIX... (3 Replies)
Discussion started by: gowthamakanthan
3 Replies

5. UNIX for Dummies Questions & Answers

What is winscp?

Hi I am new to using unix and editors for unix.. what is winscp? how to use it? what are ways to download this and learn? (1 Reply)
Discussion started by: swathi123
1 Replies

6. UNIX for Dummies Questions & Answers

Putty and winscp - what is the difference?

Want to understand the difference between putty and winscp. thanks in advance (2 Replies)
Discussion started by: swathi123
2 Replies

LEARN ABOUT SUNOS

restricted_shell

rsh(1M) 						  System Administration Commands						   rsh(1M)

NAME

       rsh, restricted_shell - restricted shell command interpreter

SYNOPSIS

       /usr/lib/rsh [-acefhiknprstuvx] [argument...]

DESCRIPTION

       rsh  is a limiting version of the standard command interpreter sh, used to restrict logins to execution environments whose capabilities are
       more controlled than those of sh (see sh(1) for complete description and usage).

       When the shell is invoked, it scans the environment for the value of the environmental variable, SHELL. If it is found and rsh is the  file
       name part of its value, the shell becomes a restricted shell.

       The actions of rsh are identical to those of sh, except that the following are disallowed:

	 o  changing directory (see cd(1)),

	 o  setting the value of $PATH,

	 o  pecifying path or command names containing /,

	 o  redirecting output (> and >>).

       The restrictions above are enforced after .profile is interpreted.

       A restricted shell can be invoked in one of the following ways:

       1.  rsh is the file name part of the last entry in the /etc/passwd file (see passwd(4));

       2.  the environment variable SHELL exists and rsh is the file name part of its value; the environment variable SHELL needs to be set in the
	   .login file;

       3.  the shell is invoked and rsh is the file name part of argument 0;

       4.  the shell is invoke with the -r option.

       When a command to be executed is found to be a shell procedure, rsh invokes sh to execute it. Thus, it is possible to provide to  the  end-
       user  shell  procedures	 that  have access to the full power of the standard shell, while imposing a limited menu of commands; this scheme
       assumes that the end-user does not have write and execute permissions in the same directory.

       The net effect of these rules is that the writer of the .profile (see profile(4)) has complete control  over  user  actions  by	performing
       guaranteed setup actions and leaving the user in an appropriate directory (probably not the login directory).

       The  system administrator often sets up a directory of commands (that is, /usr/rbin) that can be safely invoked by a restricted shell. Some
       systems also provide a restricted editor, red.

EXIT STATUS

       Errors detected by the shell, such as syntax errors, cause the shell to return a non-zero exit status. If the  shell  is  being	used  non-
       interactively execution of the shell file is abandoned. Otherwise, the shell returns the exit status of the last command executed.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       intro(1), cd(1), login(1), rsh(1), sh(1),  exec(2), passwd(4), profile(4), attributes(5)

NOTES

       The restricted shell, /usr/lib/rsh, should not be confused with the remote shell, /usr/bin/rsh, which is documented in rsh(1).

SunOS 5.10							    1 Nov 1993								   rsh(1M)
All times are GMT -4. The time now is 12:56 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy