Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Creating subusers & assigning limited rights

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Creating subusers & assigning limited rights
# 1  
Old 06-06-2006
Creating subusers & assigning limited rights
Hi all,

I need to create 2 users sde1 & sde2 with limited authority(only for read). I know the root password.Pls tell me step by step procedure how to create these subusers to root.

the commands which these subusers can run are :

1)#df -k
2)#ps -ef|grep syb
3)#ps -ef|grep omc
4)ps -eofname,pcpu,comm|sort -k 2n

-Sandy
# 2  
Old 06-06-2006
I think what you want is a procedure to configure a chroot jail for those users, don't you?... That's not a trivial procedure. There a re lots of docs on that, just go to google Smilie
# 3  
Old 06-06-2006
Quote:
Originally Posted by xs2sandeep
Hi all,

I need to create 2 users sde1 & sde2 with limited authority(only for read).
for read, on what? In what system?
Quote:
I know the root password.Pls tell me step by step procedure how to create these subusers to root.
subuser? What's a subuser, a non-root user?
Quote:
the commands which these subusers can run are :

1)#df -k
2)#ps -ef|grep syb
3)#ps -ef|grep omc
4)ps -eofname,pcpu,comm|sort -k 2n

-Sandy
That's...pretty limited. UNIX doesn't support this sort of thing directly as in a "let user x access only these programs" list, though it's possible to create that environment.

If you have bash, you can put their login shell into restricted mode, which would prevent them from doing...nearly anything. A chroot jail would be a more ironclad solution, but the bash one is very simple...

The way I went about this was:
  • Create a directory, /opt/lubin, which contains symlinks to ONLY the commands you want. It should look like this:
    Code:
    mecgentoo ~ # ls -lh /opt/lubin
total 0
lrwxrwxrwx 1 root root 7 Jun  6 08:47 df -> /bin/df
lrwxrwxrwx 1 root root 9 Jun  6 08:47 grep -> /bin/grep
lrwxrwxrwx 1 root root 7 Jun  6 08:47 ps -> /bin/ps
lrwxrwxrwx 1 root root 9 Jun  6 08:47 sort -> /bin/sort

  • Alter the profile for the limited user, so they login with bash in restricted mode, and can only execute things in /opt/lubin. /home/limiteduser/.bash_profile should look like this:
    Code:
    PATH=/opt/lubin
exec /bin/bash --noprofile -r

  • Make sure they can't modify their profile:
    Code:
    mecgentoo ~ # chmod 444 /home/limiteduser/.bash_profile /home/limiteduser/.bashrc /home/limiteduser/.bash_logout
mecgentoo ~ # chown root:root /home/limiteduser/.bash_profile /home/limiteduser/.bashrc /home/limiteduser/.bash_logout
mecgentoo ~ # ls -l /home/limiteduser/.bash_profile
-r--r--r-- 1 root root 242 Jun  6 08:47 /home/limiteduser/.bash_profile
mecgentoo ~ # chown root:root /home/limiteduser
mecgentoo ~ # chmod 555 /home/limiteduser
mecgentoo ~ # ls -ld /home/limiteduser
dr-xr-xr-x 2 root root 4096 Jun  6 08:47 /home/limiteduser/.bashrc
mecgentoo ~ #

  • Make sure there's nothing in /home/limiteduser/.bashrc that you don't want executed
Now, when they login, they can only execute those programs in /opt/lubin:
Code:
mecgentoo ~ # su - limiteduser
limiteduser@mecgentoo ~ $ ls
bash: ls: command not found
limiteduser@mecgentoo ~ $ df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/hda2             19236340   7741408  10517780  43% /
udev                    257720       416    257304   1% /dev
/dev/hda4            272267008 101397300 170869708  38% /opt
/usr/share/images/squid-cache.ext2
                       2064208     16700   2047508   1% /var/cache/squid
shm                     257720         0    257720   0% /dev/shm
limiteduser@mecgentoo ~ $ ps -ef|grep syb
1007     10474 10463  0 08:53 pts/0    00:00:00 grep syb
limiteduser@mecgentoo ~ $ ps -eofname,pcpu,comm|sort -k 2n
COMMAND  %CPU COMMAND
acpid     0.0 acpid
agetty    0.0 agetty
agetty    0.0 agetty
...
limiteduser@mecgentoo ~ $ exit
exit
mecgentoo ~ #

edit -- do NOT include bash in /opt/lubin, that's a security hole!
Last edited by Corona688; 06-06-2006 at 12:21 PM.. Reason: continuing improvements
This User Gave Thanks to Corona688 For This Post:
ernestdenver
# 4  
Old 06-06-2006
Well, a restricted shell is a much easyer solution... It just depends on the limits you want for those users...
On a restricted shell you sould be careful with the PATH variable and the user's profile files.
Regards.
# 5  
Old 06-06-2006
Quote:
Originally Posted by grial
Well, a restricted shell is a much easyer solution... It just depends on the limits you want for those users...
On a restricted shell you sould be careful with the PATH variable and the user's profile files.
Regards.
Absolutely. With a session that limited they don't even need a writable home directory!
 
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Readin document & creating path

Need a way to read a file in who every line is a path to a directory and make shortcut to that directory on a specific place. Example: line in the document /media/gogo/6651-FEAB/Desktop/ /media/gogo/6651-FEAB/Desktop/alex/ /media/gogo/6651-FEAB/linux/ ... (3 Replies)
Discussion started by: gogok_bg
3 Replies

2. Programming

Script for creating a directory & move the .tif files in it.

Hi Team, I have thousands of TIF files which are converted from PDF. Below is a sample of it. LH9406_BLANCARAMOS_2012041812103210320001.tif LH9406_BLANCARAMOS_2012041812103210320002.tif LH9406_BLANCARAMOS_2012041812103210320003.tif LH9411_ANGENIAHUTCHINSON_2012041812102510250001.tif... (9 Replies)
Discussion started by: paragnehete
9 Replies

3. Shell Programming and Scripting

creating delimiter file & append with cron

I have the following script working fine, and need to generate a file delimiter (with tab or special character) for Excel data import. The script will run every hour in crontab to append the new rows to the delimiter, so that I can collect the data for i.e. a week, which will give me a lot of... (0 Replies)
Discussion started by: Daniel Gate
0 Replies

4. Debian

How to Excluding Extensions Creating RAR & Uploading it

for media files in directory i want change every special char in name to "_" , create screenshots, get media information, then cat that info in 1 file, after that i want split (only) media files (not *.jpg,*.txt, etc.) with rar (including some file with info in each archive, and give each archive... (7 Replies)
Discussion started by: sunnymuffin
7 Replies

5. Shell Programming and Scripting

Creating Header & Trailer for bulk volume data file

Hi all, I have a requirement to create a Header &Trailer for a file which is having 20 millions of records. If I use the following method, i think it will take more time. cat "Header"> file1.txt cat Data_File>>file1.txt cat "Trailer">>file1.txt since second CAT command has to read all... (4 Replies)
Discussion started by: Raamc
4 Replies

6. Solaris

Creating User account with limited permission

Hi All, I want to create an user account which can only excute "df -kh" and "prstat -a" command. The user will not be able to perform "rm" and other critical commands. Is there a way to do it? rgds, Ronny (2 Replies)
Discussion started by: ronny_nch
2 Replies

7. Filesystems, Disks and Memory

Creating /boot partition & MBR concerns

I have 40GB HD with mepis8, swap, MBR and under flags word boot. I also have a 160 GB external with a few Linux OS, no swaps, no extended etc. I am total Linux no MS I would feel more secure by resizing that sda1 partition and creating a /boot partition with the MBR housed there. Is that a... (1 Reply)
Discussion started by: worthamtx
1 Replies

8. Shell Programming and Scripting

creating & sending formatted (with bolds & colors) CSV

Hi , I have a situation. Need is to create & send a formatted file with header in BOLD & colored & some sequel results as a content. I know echo -e \033 command, but its scope is limited in PUTTY. How to retain the formatting out of Putty; say after someone opens a email attachment... (2 Replies)
Discussion started by: infaWorld
2 Replies

9. Cybersecurity

Creating a Password-Protected directory for ftp Uploads & Downloads

Hello All! Am new here; please excuse any blunders! Am dealing with an off-site ISP UNIX server on which no Telnet access and no Anonymous FTP access is allowed, and which is hosting a client web site. Need to create a separate area within that site to hold occasional outside ftp uploads... (3 Replies)
Discussion started by: NAL
3 Replies
Login or Register to Ask a Question