Manage Internal command on Linux\Unix environment via PUM


Greetings for the Day!!

We have configured PUM with /usr/bin/cpcksh shell for login in server.
We are able to do every possible configuration but for some command, PUM
is not able to authorize or denying. After some research on the same, we
figured-out that these commands are internal commands of the shell as
pwd, cd, echo.

How could we restrict these commands from cpcksh shell or via PUM?

Regards,
RK


--
rajeshemailto
------------------------------------------------------------------------
rajeshemailto's Profile: https://forums.netiq.com/member.php?userid=196
View this thread: https://forums.netiq.com/showthread.php?t=42626


  • Hello -

    The commands you mentioned (cd, ls) are built-in commands and are never
    sent to the framework manager for authorization, meaning with cpcksh or
    pcksh you can NOT limit these commands.

    With PUM there are two ways of granting someone rights to do things.
    First is to give someone a full shell (cpcksh, pcksh, etc) The other is
    to only grant them rights to do the exact privileged command. So
    instead of giving them a shell and then restricting things, have them
    login with their normal shell and then create rules to allow them run
    privileged commands via usrun.

    Why do you want to block them from using cd?

    If you have to give them a pum shell, one option is to setup Enhanced
    Access Control (EAC) to further limit rights to specific filesystem
    directories, regardless of the user logged in (even root).

    You can take a look at EAC in the documentation here:
    http://tinyurl.com/8jwkvym


    - Brett



    rajeshemailto;201836 Wrote:
    > Greetings for the Day!!
    >
    > We have configured PUM with /usr/bin/cpcksh shell for login in server.
    > We are able to do every possible configuration but for some command, PUM
    > is not able to authorize or denying. After some research on the same, we
    > figured-out that these commands are internal commands of the shell as
    > pwd, cd, echo.
    >
    > How could we restrict these commands from cpcksh shell or via PUM?
    >
    > Regards,
    > RK



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=42626


  • Brett,

    > Why do you want to block them from using cd?


    We got use case from client stating that they have few servers where
    information is available in the form of files. These files are stored in
    specific location in server. Now they want when user logs-in, he\she
    should not move anywhere except few locations in server, say,
    /usr/shareddoc.

    As you mentioned, we configured EAC but still facing issue. EAC works
    fine for commands like 'ls' or 'mkdir' but not behaving for 'cd'
    command. Also, I tried to user PUM shell "/usr/bin/rpcksh" but session
    capture is not happening. Tried to look into logs but found no event for
    session start or end.

    Regards,
    RK


    --
    rajeshemailto
    ------------------------------------------------------------------------
    rajeshemailto's Profile: https://forums.netiq.com/member.php?userid=196
    View this thread: https://forums.netiq.com/showthread.php?t=42626


  • You should be able to use Enhanced Access Control Policy Script to
    accomplish what you are wanting to do.

    Let's assume I have a directory called /data/private that I don't want
    users to have access to. I can setup a PUM rule to allow them to have a
    privileged pcksh shell as root, but block them from accessing
    /data/private, even though they are root.

    The sample rule would look something like this.

    Begin Rule: EAC block directory
    If ((command IN pcksh) AND (user IN linux admins))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Run Script: Enhanced Access Control Policy(policy:path default
    all:logpath /data/private/** !all:log=9)
    End If
    End Rule: test




    brett@sd200:~> usrun -u root pcksh
    # whoami
    root
    # cd /data
    # ls -al
    /bin/ls: cannot access private: Permission denied
    total 80
    drwxr-xr-x 18 bergerbr users 4096 May 24 15:11 .
    drwxr-xr-x 27 root root 4096 Oct 3 14:42 ..
    drwx------ 2 root root 16384 May 13 2009 lost found
    d????????? ? ? ? ? ? private
    drwxr-xr-x 13 root root 4096 Sep 5 12:10 shared
    drwxr-xr-x 6 bergerbr users 4096 Apr 28 2009 tools
    drwx------ 5 bergerbr users 4096 Dec 2 2010 .Trash-1000
    # cd private
    pcksh: cd: /data/private - Permission denied


    Notice that I can see the private directory, but no information
    regarding it, nor can I 'cd' into the directory. The Enhanced Access
    Control (EAC) policy is what stopped me from accessing this, even though
    I am root.

    Add the 'Enhanced Access Control Policy' script to the rule, and then
    add a Script Argument of
    Name:policy
    Value: path default all:log
    path /data/private/** !all:log=9


    That should do it. Good luck

    -Brett


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=42626


  • Hi Brett,

    Operating System Linux 6.2 64 bit
    I have a same problem to block access for specific directory like
    private directory in your sample rule.
    I have created a rule for private directory in data directory like
    /data/private

    My rule is look like

    Begin Rule: EAC rule
    If ((user IN linux admins) AND (command IN pcksh))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Run Script: Enhanced Access Control Policy(policy:path default
    all:logpath /data/private/** !all:log=9)
    End If
    End Rule: EAC rule

    In linux admin group i have a user name rizwan and login shell of this
    user is pcksh
    And (Command in pcksh) is pcksh is it correct command ?

    But this rule not solve my problem
    For example
    [root@Prum Desktop]# su - rizwan
    $ usrun -u root pcksh
    # whoami
    root
    # cd /data
    # ls -al
    total 12
    drwxr-xr-x 3 root root 4096 Feb 7 19:05 .
    dr-xr-xr-x. 28 root root 4096 Feb 7 19:05 ..
    drwxr-xr-x 2 root root 4096 Feb 7 19:05 private
    # cd private
    # cd /data/private
    # ls
    a b

    The user is not restricted to the private directory.
    Please Help me.

    Regards
    Rizwan Ahmed


    --
    Rizwan_ahmed
    ------------------------------------------------------------------------
    Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
    View this thread: https://forums.netiq.com/showthread.php?t=42626


  • Rizwan, I answered this on the new thread you started.


    Name: policy
    Value: path default all:log
    path /data/private/** !all:log=9

    Here is what the proper pseudocode would look like:

    Begin Rule: cpcksh
    If ((command IN Cpcksh shell login))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Run Script: Enhanced Access Control Policy(policy:path default
    all:logpath /data/private/** !all:log=9)
    Stop if authorized
    End If
    End Rule: cpcksh

    -deni


    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=42626