[adeel123]

i just wanted to restrict my user in his own directory like he cant even look in /etc or any other file system . he can only view things and write them in his own directory. i have already tried sudo. can any 1 have any other idea fot this.

waiting fro the reply

[john.samons]

You can change his default shell (smitty user) to use a restricted shell.

Instead of /usr/bin/ksh
use : /usr/bin/rksh

Make sure you've listed this shell in /etc/security/login.cfg

Using this shell restricts the user significantly...

[adeel123]

thanks john.

just wanted to confirm 2 more things how to put the entry in login.cfg if rsh is not ther . secondly if i want to allow user to some directory and also restrict him from some directory how can i do it. for example i want to allow him to access /etc /usr but i want to restrict him from /var etc . how can i do it.
thanks john.

[john.samons]

On adding it to the list of valid shells, at the bottom, just add it to the end of the line that says... shells = ......., your new shell path

But be careful ..... rsh is actually....
The /usr/bin/rsh command executes the command specified by the Command
parameter at the remote host specified by the RemoteHost parameter

You need to use /usr/bin/rksh : Which invokes the restricted version of the Korn shell.

For refining rksh, check out the man page.... and ... IBM Systems Information Center

Depending on the level of security required (and your coding capability), you could also write a menu driven shell script, or even a small C program, with only a small subset of functions defined (display log, show bdf output, etc, etc) and restrict the users abilities that way. Then, set the users shell to point to this file in /etc/passwd (first, add it into the valid list of shells) e.g.

mruser:x:100:100:Mr User:/home/dir:/path/to/program

You must be careful that no backdoor exists with such a method, however (i,e, make sure that crashing the script with ^C doesn't drop the user into a shell, etc).

Maybe you don't even need all that. Will enforcing proper system security not resolve your problem?

[adeel123]

dear John ,

thanks alot i have checked the rksh thing and user is restricted to his profile only.
but still i m unable to get that how can i restrict him from some diectories and allow him for some directories .

As i m new to AIX i dont know any scripting.


regards

[john.samons]

Well read up on configuring the rksh, there's a couple of tricks on allowing or restricting certain information, but what is it that they should and shouldn't be able to do?

It sounds like applying the correct permissions, user & groups to your structure might do the trick. Else you could also look at sudo.... it solves many problems...

If you want tight security. Create a user "pawn" and place him in his own group "outcasts", then give him the rksh shell. If he wants to view anything, let him give you a list or locations that is acceptable to you, and add them to sudo.... ALSO don't use vi in sudoers. As this is a security hole. Use tvi ... to just view, ...use 'more'.