AIX

Hi,

is there a way to disable bash shell only for specific users?

you can put them in a same group and change the environment .profile for that group.

But this does not prevent a user from calling bash inside his default shell or from a script.

for ex our user is test.

add a group which named bashxx

Code:

# groupadd bashxx

and add user to group

Code:

# usermod -G bashxx,test test

and mount with acl

Code:

# mount -o remount -o defaults,acl  /

and be sure that there is not perm on bash

Code:

# setfacl -m g:bashxx:0 `which bash`

and they must not dowload any source file about bash

Code:

# su - test
$ bash
-ksh: bash: cannot execute [Permission denied]

after that for another users same process goes on..

Code:

# usermod -G bashxx,test2 test2

and then again for another users...

of course they should not dowload any source file about bash

regards
ygemici

It is the other way round: ENable specific users for the shell:

- create a group "bashusers"
- remove read/write/execute-bit from $(which bash) for world, set execute- and read-bit for group
- give group ownership of $(which bash) to group "bashusers"
- put everybody allowed to use bash into this group

This way you have disabled the usage of bash for all users not member of "bashusers". Of course you can't effectively disable it for user "root".

I hope this helps.

bakunin

I managed it with AIX ACL's:

Help -
Thanks.

Thanks for writing a follow-up.

Still, i'd like to warn you to think twice about using ACLs: in my experience using ACLs is uncessarily complicating the rights management process and in the long run it is better to stay away from using ACLs at all.

In most cases you can achieve your goals without ACLs and if this is possible you should go for it.

Just my 2 cents.

bakunin