Login or Register to Ask a Question and Join Our Community


Solaris

Restricting commands & access

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Restricting commands & access
# 1  
Old 09-11-2013
Tools Restricting commands & access
Dear all,
I am administering a DC environment of over 100+ Solaris servers used by various teams including Databases.

Every user created on the node belonging to databases is assigned group staff(10) .

I want that all users belonging to staff should NOT be able to execute certain system commands like:

Code:
/usr/sbin/psrinfo -p
/usr/sbin/prtdiag

etc.

Also they should not be able to access certain predefined folders like /var/tmp .

How can this be achieved ?

Regards
Last edited by radoulov; 09-11-2013 at 06:17 AM..
# 2  
Old 09-11-2013
do you know what is setuid and setguid ?
# 3  
Old 09-11-2013
Code:
chmod o-x /usr/sbin/psrinfo /usr/sbin/prtdiag

This will deny execution rights for those two commands for everyone except for root and group that owns them.
# 4  
Old 09-11-2013
Quote:
Originally Posted by bartus11
Code:
chmod o-x /usr/sbin/psrinfo /usr/sbin/prtdiag

This will deny execution rights for those two commands for everyone except for root and group that owns them.
And then be prepared to deal with a lot of broken applications, scripts, and utilities.

Restrict access to psrinfo and prtdiag?

Why?

"If I could only know how many CPUs were on this server, I could take over the world with my evil hacking schemes"?
# 5  
Old 09-11-2013
As an alternative, you could use ACLs.

Note that Solaris by default uses NFSv4 ACLs which are a a bit different than standard POSIX (Linux) ones.
# 6  
Old 09-11-2013
Solaris is using NFSv4 ACLs on ZFS filesystems. On UFS filesystems standard ACLs are used.
# 7  
Old 09-11-2013
Quote:
Originally Posted by bartus11
Solaris is using NFSv4 ACLs on ZFS filesystems. On UFS filesystems standard ACLs are used.
As far as I know, ZFS has been an unofficial standard for global zones since 2007-2008.

Of course the poster might be using Solaris 8, 9 or a really outdated release of S10.

Anyway... another example of why it's important to be specific about the OS version. Smilie
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Switch Port Becoming Private & restricting access

Hello folks, I have an AIX server that is connected to a storage array via a Brocade switch using 4 ports from either side. The zoning is done such that there are 4 paths visible from the server to the storage. My work involves frequent disabling or enabling the switch ports that are... (1 Reply)
Discussion started by: nkiran
1 Replies

2. UNIX for Dummies Questions & Answers

Restricting SFTP access

Hello, I am using MySecureShell to chroot all sftp accesses. The problem that I have is that my boss does not want root to be able to use sftp. Root should still be able to ssh. Any ideas? (2 Replies)
Discussion started by: mojoman
2 Replies

3. Solaris

Restricting CPU Core Access

Hi all. I've had a quick look around but cant see anything exactly matching my requirements. I have a new T2000 running S10. Im looking to restrict the no. cores that a S10 non-global zone can use to 1 only. The box is single CPU but 8core. I want to do this to save on some software... (4 Replies)
Discussion started by: boneyard
4 Replies

4. UNIX for Advanced & Expert Users

Restricting access to code

Hi All, I am facing a problem, regarding code security on a server. We have configured a server which contains our code (ear present in jboss/server/xyz/deploy) in it, and need to bind the code to the server itself so that no one can take the code out of the. the problem is that the password of... (3 Replies)
Discussion started by: akshay61286
3 Replies

5. UNIX for Dummies Questions & Answers

Setting permissions and restricting access

Hi all, I have user called "Z". The home directory is /home/Z. I have another directory /home/Z/OP. Within /home/Z/OP, i have 2 directories /home/Z/OP/OP1 and /home/Z/OP2. I want to restrict access for Z to only access /home/Z/OP and /home/Z/OP1 and /home/Z/OP2. What kind of... (4 Replies)
Discussion started by: new2ss
4 Replies

6. Solaris

restricting access to a server

We want to secure access to a server by restricting the number of users who can login to it. Our users are NIS users. Only few of them can telnet/ssh this server. Do you have any idea on how to implement that? thanks. (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

7. UNIX for Advanced & Expert Users

restricting root access

I'm the admin in a shop in which my developers have and use the root account, all UNIX newbies. I've been unable to convince management myself that this is an unacceptable practice. I've looked in a couple books I have and can't find any chapters, discussions, etc that make the argument that... (2 Replies)
Discussion started by: keith.m
2 Replies

8. Solaris

restricting access

Hi All, I'm on Solaris 8, I need to provide Read-only access to a user to 2 directories only. Using rsh (restricted shell) as the user's login shell, I can restrict the user's access to a certain directory only, but how can I set in such a way that the user can access only the 2 directories... (4 Replies)
Discussion started by: max_min
4 Replies

9. UNIX for Dummies Questions & Answers

Restricting access

I need to create a user that only has access to 1 directory (e.g. /vol/mita/test). The user needs to be able to rsh into that directory to run a script. The user should not be able to navigate to any other directories above /vol/mita/test. Any help would be appreciated! (4 Replies)
Discussion started by: ngagne
4 Replies

10. Cybersecurity

restricting access...

restricted access... Hi I need to restrict users shell access to only $HOME under /home for each user. I don't want them getting out of their own directories. From what I understand chroot is something I could use, but I want to avoid this since it involves creating symbolic links to a number... (9 Replies)
Discussion started by: alwayslearningunix
9 Replies
Login or Register to Ask a Question