We have configured PUM with /usr/bin/cpcksh shell for login in server. We are able to do every possible configuration but for some command, PUM is not able to authorize or denying. After some research on the same, we figured-out that these commands are internal commands of the shell as pwd, cd, echo.
How could we restrict these commands from cpcksh shell or via PUM?
The commands you mentioned (cd, ls) are built-in commands and are never sent to the framework manager for authorization, meaning with cpcksh or pcksh you can NOT limit these commands.
With PUM there are two ways of granting someone rights to do things. First is to give someone a full shell (cpcksh, pcksh, etc) The other is to only grant them rights to do the exact privileged command. So instead of giving them a shell and then restricting things, have them login with their normal shell and then create rules to allow them run privileged commands via usrun.
Why do you want to block them from using cd?
If you have to give them a pum shell, one option is to setup Enhanced Access Control (EAC) to further limit rights to specific filesystem directories, regardless of the user logged in (even root).
rajeshemailto;201836 Wrote: > Greetings for the Day!! > > We have configured PUM with /usr/bin/cpcksh shell for login in server. > We are able to do every possible configuration but for some command, PUM > is not able to authorize or denying. After some research on the same, we > figured-out that these commands are internal commands of the shell as > pwd, cd, echo. > > How could we restrict these commands from cpcksh shell or via PUM? > > Regards, > RK
We got use case from client stating that they have few servers where information is available in the form of files. These files are stored in specific location in server. Now they want when user logs-in, he\she should not move anywhere except few locations in server, say, /usr/shareddoc.
As you mentioned, we configured EAC but still facing issue. EAC works fine for commands like 'ls' or 'mkdir' but not behaving for 'cd' command. Also, I tried to user PUM shell "/usr/bin/rpcksh" but session capture is not happening. Tried to look into logs but found no event for session start or end.
You should be able to use Enhanced Access Control Policy Script to accomplish what you are wanting to do.
Let's assume I have a directory called /data/private that I don't want users to have access to. I can setup a PUM rule to allow them to have a privileged pcksh shell as root, but block them from accessing /data/private, even though they are root.
The sample rule would look something like this.
Begin Rule: EAC block directory If ((command IN pcksh) AND (user IN linux admins)) Then Set Authorize: yes Set Session Capture: yes Run Script: Enhanced Access Control Policy(policy:path default all:logpath /data/private/** !all:log=9) End If End Rule: test
brett@sd200:~> usrun -u root pcksh # whoami root # cd /data # ls -al /bin/ls: cannot access private: Permission denied total 80 drwxr-xr-x 18 bergerbr users 4096 May 24 15:11 . drwxr-xr-x 27 root root 4096 Oct 3 14:42 .. drwx------ 2 root root 16384 May 13 2009 lost found d????????? ? ? ? ? ? private drwxr-xr-x 13 root root 4096 Sep 5 12:10 shared drwxr-xr-x 6 bergerbr users 4096 Apr 28 2009 tools drwx------ 5 bergerbr users 4096 Dec 2 2010 .Trash-1000 # cd private pcksh: cd: /data/private - Permission denied
Notice that I can see the private directory, but no information regarding it, nor can I 'cd' into the directory. The Enhanced Access Control (EAC) policy is what stopped me from accessing this, even though I am root.
Add the 'Enhanced Access Control Policy' script to the rule, and then add a Script Argument of Name:policy Value: path default all:log path /data/private/** !all:log=9
Operating System Linux 6.2 64 bit I have a same problem to block access for specific directory like private directory in your sample rule. I have created a rule for private directory in data directory like /data/private
My rule is look like
Begin Rule: EAC rule If ((user IN linux admins) AND (command IN pcksh)) Then Set Authorize: yes Set Session Capture: yes Run Script: Enhanced Access Control Policy(policy:path default all:logpath /data/private/** !all:log=9) End If End Rule: EAC rule
In linux admin group i have a user name rizwan and login shell of this user is pcksh And (Command in pcksh) is pcksh is it correct command ?
But this rule not solve my problem For example [root@Prum Desktop]# su - rizwan $ usrun -u root pcksh # whoami root # cd /data # ls -al total 12 drwxr-xr-x 3 root root 4096 Feb 7 19:05 . dr-xr-xr-x. 28 root root 4096 Feb 7 19:05 .. drwxr-xr-x 2 root root 4096 Feb 7 19:05 private # cd private # cd /data/private # ls a b
The user is not restricted to the private directory. Please Help me.
Here is what the proper pseudocode would look like:
Begin Rule: cpcksh If ((command IN Cpcksh shell login)) Then Set Authorize: yes Set Session Capture: yes Run Script: Enhanced Access Control Policy(policy:path default all:logpath /data/private/** !all:log=9) Stop if authorized End If End Rule: cpcksh