Personally, I prefer to not use local .profiles at all. Too many headaches. Users do not 'own' their home directory - only sub-directories, so the admins can always control the content of $HOME/.profile if it even exists.
An additional thought - in some companies it is grounds for immediate dismissal to deliberately go against the company security configuration (showing it can be circumvented should be applauded, but helping others get past policy should not). Along those lines a banner, even though boring to click away - may provide some additional insight to the 'personal' impact of getting on the command line when that is not intended.
Short recap:
Make use of /etc/environment and /etc/profile because everyone should pass through these (it is what documentation says iirc)
Do not rely on $HOME/.profile - assume it is tainted
If possible, have the system 'own' $HOME.
Last edited by rbatte1; 03-10-2015 at 09:08 AM..
Reason: Tidied up formatting and corrected spelling.
[QUOTE=-=XrAy=-;302937118]You are right. I guess the realy safe way is removing this option from bash through modifying the source code and building a custom version.
- download your favourite bash version from https://ftp.gnu.org/gnu/bash/
- modify the shell.c and replace the following line '{ "noprofile", Int, &no_profile, (char **)0x0 },' through ' /* { "noprofile", Int, &no_profile, (char **)0x0 }, */'
- build your custom version
Code:
./configure
make
test it:
Code:
./bash --noprofile
./bash: --noprofile: invalid option
Usage: ./bash [GNU long option] [option] ...
./bash [GNU long option] [option] script-file ...
GNU long options:
--debug
--debugger
--dump-po-strings
--dump-strings
--help
--init-file
--login
--noediting
--norc
--posix
--rcfile
--restricted
--verbose
--version
Shell options:
-ilrsD or -c command or -O shopt_option (invocation only)
-abefhkmnptuvxBCHP or -o option
Code:
# make a backup from your original bash bevor replacing them ;)
cp bash /bin/bash
Regards
---------- Post updated at 22:56 ---------- Previous update was at 22:51 ----------
i did the things that you suggested and it works perfectly now. the --noprofile option does not exist anymore and also when i tried to run the command that i said earlier the session closes as soon as i enter the password.
however i have some questions about the implementation of this new bash version that i created.
shall i just copy the bash command to my library directory or do i need to do something else first? i mean i need to uninstall bash and install it again? it does not effect the "whole bash package"?
This entire discussion just seems wrong to me. Why not just have users rlogin to this remote system and make their login shell on that system be the utility they are allowed to run. Why give them access to a shell on that system at all?
well actually it doesnt matter what kind of shell you assign to the users. thats why i started this discussion in the first place. for example the user that tried the command to connect to the server and get command line his shell is ksh. but through putty he has the ability to pass a command to the server and choose to run bash shell and use the --noprofile option. so even if i change the login shell of the user he can still do the same.
You seem to have missed what I suggested. Don't use putty and allow the user to choose the command they're going to run on the remote machine.
Have them rlogin to the remote machine and set up their login shell on that remote machine to be the program that you want to run (the program you want to put at the end of the .profile you don't want them to be able to change); not bash, not ksh, not sh; just the program you want them to run on that machine.
...
however i have some questions about the implementation of this new bash version that i created.
shall i just copy the bash command to my library directory or do i need to do something else first? i mean i need to uninstall bash and install it again? it does not effect the "whole bash package"?
As a simple solution i would keep the current package and just overwrite the orginal bash with your custom build, but keep in mind, that after a software update you may need to recopy your bash and you should keep your custom build up date for security reasons.
A more complex solution is to maintain your own bash package (rpm).
- Download a sample rpm-spec file for AIX from Perzl.org (e.g. bash-4.3-13.spec)
- write a custom spec-patch file which disable the option and add them to the bash spec file
- build rpm -ba bash-*.spec your custom rpm
Regards
PS
Please validate the other suggestions (e.g from Don Cragun). Maybe manipulating the bash is to much for that what your need.
Hi Guys,
I was studying RBAC and I gave a profile to a user . I have not seen anywhere that shows how to remove the profile from the users account. Can anyone show me how to remove a given profile from a users account?
Thanks alot guys. (2 Replies)
Hi!
My organization has put a Firewall which eat up a lot of important data access. So I came to know about SSH Tunneling to bypass the Firewall.
I will have to setup a free access SSH server to tunnel data access through PUTTY or OpenSSH.
The problem is that I don't know about any free... (1 Reply)
The .profile file should be read when the user logs in. So, there should be no need to execute .profile file again in a cron job (since the cron job is run after the user logs in). Doesn't the cron require login from the user. Then, from where does the cron execute? Please help!! (1 Reply)
So my workplace uses websense to block certain websites. I read while researching firesheep, that you can somehow bypass that by creating a proxy, and thus:
#1 protect yourself from people using firesheep (if using unsecure hot-spot)
and
#2 or visit un-approved websites at work.
I... (1 Reply)
Hi Team,
Thank you for your time.
i have a situation where the user IDs of the applicatio users have been locked down to Read only.
Hence I am writing a script to invoke their old .profile every time they login.
My problem is : when i run . $userpath/.profile from within the ksh script... (9 Replies)
I am running a serverapplication on a HP-UX machine where I need to handle some of the commands as a specified user called "druser".
When I log on as this user with the command;
sudo -u druser -sit starts an instance of the shell as that user.
However, it doesn't load that users .profile from... (1 Reply)
Hi all,
I am currently trying to tell /bin/ksh to behave like a login shell. I am invoking it from an interactive shell. In the documentation is stated, that calling it with
exec ksh -
it should behave like a login shell, work 1st on /etc/profile, ~/.profile and so on.
I tried that with... (0 Replies)
guys
i have a unix user (say "x") which is also an application owner ..thru this user i manage most (90 %) of my tasks related to application i.e application down/up,processes stop/start etc..in short i manage my "tuxedo" via this user..
now
i want a new user to be created (on my name) which... (7 Replies)
