Login or Register to Ask a Question and Join Our Community


AIX

Do not allow bypassing users .profile

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems AIX Do not allow bypassing users .profile
# 8  
Old 03-03-2015
IF you have code users must run on login, consider /etc/profile:

Create a special script in a directory the user cannot change, maybe something like this

Code:
if [ $(id -g) -eq 3000 ] ; then  # users in just this group
. /path/to/special/script.sh
fi

Place the above in /etc/profile. It sounds like you have required stuff (probably security) that users are going to try to evade. Do not put stuff like that in .profile Users can and will mess with it.

If you really have security problems consider a restricted shell for some users.
# 9  
Old 03-03-2015
Quote:
Originally Posted by Scrutinizer
A script such as that can easily be parsed to quickly find that this can be bypassed with
Code:
ssh -t hostname "bash.orig --noprofile"

You are right. I guess the realy safe way is removing this option from bash through modifying the source code and building a custom version.

- download your favourite bash version from https://ftp.gnu.org/gnu/bash/
- modify the shell.c and replace the following line '{ "noprofile", Int, &no_profile, (char **)0x0 },' through ' /* { "noprofile", Int, &no_profile, (char **)0x0 }, */'
- build your custom version
Code:
./configure
make

test it:
Code:
 
./bash --noprofile
./bash: --noprofile: invalid option
Usage:	./bash [GNU long option] [option] ...
	./bash [GNU long option] [option] script-file ...
GNU long options:
	--debug
	--debugger
	--dump-po-strings
	--dump-strings
	--help
	--init-file
	--login
	--noediting
	--norc
	--posix
	--rcfile
	--restricted
	--verbose
	--version
Shell options:
	-ilrsD or -c command or -O shopt_option		(invocation only)
	-abefhkmnptuvxBCHP or -o option

Code:
# make a backup from your original bash bevor replacing them ;)
cp bash /bin/bash

Regards

---------- Post updated at 22:56 ---------- Previous update was at 22:51 ----------

Quote:
Originally Posted by jim mcnamara
IF you have code users must run on login, consider /etc/profile
I guess this will not help in this case...

Code:
man bash
 --noprofile
              Do not read either the system-wide startup file /etc/profile or any of the personal initialization files ~/.bash_profile, ~/.bash_login, or ~/.profile.  By default, bash reads these files when it is invoked as
              a login shell (see INVOCATION below).

Regards
Last edited by rbatte1; 03-04-2015 at 06:13 AM.. Reason: Added ICODE tags
# 10  
Old 03-04-2015
thank you all guys for your responses. @achenle: well actually they cannot change their profile if they connect to the server because their profile runs an application. so when the users connect to the server they look directly to the logon screen of the application that they are going to connect. they dont go to command line. thats why they used this command through putty in order to get command line. @XrAy: your last suggestion seems good to me. i will try that. @agent.kgb, rbatte1: in /etc/ssh/sshd_config file i cannot find the lines that you mentioned. i have to insert these lines by myself? does it matter in which section i will enter these lines or i can put them at the end of file?
# 11  
Old 03-04-2015
You still have to stop them using ftp, sftp, scp, etc. as they you remotely modify it and replace the version you have created.

If it is a common thing that you want them all to run, I'd follow the suggestion from Jim and put something in /etc/profile instead.

If you don't want everyone to run it, then have it conditional on the primary group or some other external reference that you can easily adjust. We have the following in ours:-
Code:
GROUP=`id -gn`
if [ -f /usr/local/bin/${GROUP}.start ]
        then
        . /usr/local/bin/${GROUP}.start
fi


I hope that this helps,
Robin
# 12  
Old 03-04-2015
well ftp is disabled on the server but i guess they can connect through sftp and scp you are right. it doesnt hurt though if i apply both suggestions (modify sshd_config, bash) and try also this with /etc/profile. it will be more complex though with /etc/profile cause not all users connect to same database. its the same logic in all their profiles but each one connects to different database. so i have to break it down in a lot of pieces. i think i will apply one thing at a time. first i will enter the lines in sshd_config and make sure that i dont have any problem with ssh. then i can change bash to remove the option of "--noprofile". then is the /etc/profile suggestion which will take more time to do so i will do it last. i think if i apply all 3 then probably they will not be able to mess around
# 13  
Old 03-04-2015
just put them at the end and restart sshd. if your users should run only one application, use "normal" shell ksh for users, which doesn't have such options, and way better - use rksh (restricted version of ksh), set the PATH correctly in profile, make their .profile files owned by root and only readable by users.
# 14  
Old 03-04-2015
Your code called from /etc/profile could always have a reference table to look up who is meant to connect to which database in some way. Something like:-
Code:
$ cat /etc/dbusers
Robin DB1
Don DB2
Jim DB1

You could then read it something like:-
Code:
grep "^`id -un` " /etc/dbusers | read x DB

Notice that there is a trailing space before the closing quote in case you have user names like bob, bob2 etc.



Would that help?


Robin
Last edited by rbatte1; 03-05-2015 at 07:47 AM.. Reason: Spelling mistake meant a grammatical error
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. HP-UX

Create a new user from using existing users profile

Hello, Just wanting to know if it is possible. Also I am new to command line. I am running 5.1b, if that matters. Thanks in advance (10 Replies)
Discussion started by: bcha
10 Replies

2. Solaris

Remove a given profile from a users account

Hi Guys, I was studying RBAC and I gave a profile to a user . I have not seen anywhere that shows how to remove the profile from the users account. Can anyone show me how to remove a given profile from a users account? Thanks alot guys. (2 Replies)
Discussion started by: cjashu
2 Replies

3. IP Networking

Bypassing My Company Firewall!

Hi! My organization has put a Firewall which eat up a lot of important data access. So I came to know about SSH Tunneling to bypass the Firewall. I will have to setup a free access SSH server to tunnel data access through PUTTY or OpenSSH. The problem is that I don't know about any free... (1 Reply)
Discussion started by: nixhead
1 Replies

4. Shell Programming and Scripting

Users who desire to have their .profile executed must explicitly do so in the crontab entry. Why?

The .profile file should be read when the user logs in. So, there should be no need to execute .profile file again in a cron job (since the cron job is run after the user logs in). Doesn't the cron require login from the user. Then, from where does the cron execute? Please help!! (1 Reply)
Discussion started by: thulasidharan2k
1 Replies

5. UNIX for Advanced & Expert Users

Bypassing blocking of websites...

So my workplace uses websense to block certain websites. I read while researching firesheep, that you can somehow bypass that by creating a proxy, and thus: #1 protect yourself from people using firesheep (if using unsecure hot-spot) and #2 or visit un-approved websites at work. I... (1 Reply)
Discussion started by: zixzix01
1 Replies

6. Shell Programming and Scripting

sourcing .profile for other users

Hi Team, Thank you for your time. i have a situation where the user IDs of the applicatio users have been locked down to Read only. Hence I am writing a script to invoke their old .profile every time they login. My problem is : when i run . $userpath/.profile from within the ksh script... (9 Replies)
Discussion started by: anitha111
9 Replies

7. AIX

SSH and a users .profile

How do I get a command like "ssh Theuser@host date" to execute the /home/Theuser/.profile before executing the "date" command? (5 Replies)
Discussion started by: IL-Malti
5 Replies

8. UNIX for Advanced & Expert Users

How can I get sudo -u <username> to load that users profile on HP-UX

I am running a serverapplication on a HP-UX machine where I need to handle some of the commands as a specified user called "druser". When I log on as this user with the command; sudo -u druser -sit starts an instance of the shell as that user. However, it doesn't load that users .profile from... (1 Reply)
Discussion started by: ukiome
1 Replies

9. AIX

"ksh -" as login shell bypassing .profile

Hi all, I am currently trying to tell /bin/ksh to behave like a login shell. I am invoking it from an interactive shell. In the documentation is stated, that calling it with exec ksh - it should behave like a login shell, work 1st on /etc/profile, ~/.profile and so on. I tried that with... (0 Replies)
Discussion started by: zaxxon
0 Replies

10. Shell Programming and Scripting

users with same .profile

guys i have a unix user (say "x") which is also an application owner ..thru this user i manage most (90 %) of my tasks related to application i.e application down/up,processes stop/start etc..in short i manage my "tuxedo" via this user.. now i want a new user to be created (on my name) which... (7 Replies)
Discussion started by: abhijeetkul
7 Replies
Login or Register to Ask a Question