Change the Shell


Hi,

I am new to the NPUM and I have a querry.

I have users in /bin/bash login shell and I want to restrict them to
access a folder. Is it possible to do so by using novell priviledged
user manager.

If yes can you guide me the way to do so.

Thanks in Advance for your help.

Best Regards,

Saqib Farooq


--
saqibfarooq87
------------------------------------------------------------------------
saqibfarooq87's Profile: https://forums.netiq.com/member.php?userid=5544
View this thread: https://forums.netiq.com/showthread.php?t=48270


  • Saqib,

    Sorry for the late reply. If you haven't solved the problem already,
    PUM can do what you are asking and here is how.

    With PUM (using a script called Enhanced Access Control) you can have a
    user become root, yet not allow access a particular directory (ex:
    /data/hr)

    I'm assuming you want users to login with their normal account, then
    become root, but limit the filesystem as root. If so, here is how I did
    it.


    1. I created a "command" called 'EAC as root' and it looks like this:
    Rewrite: /bin/bash
    Command: eacroot

    2. I created a group called 'sshadmins' and made 'brett' a member of
    that group.

    3. Import the 'Enhanced Access Control Policy' script available from the
    embedded samples. (Command Control | Import Samples|Sample Perl Script
    | Enhanced Access Control Policy |Finish)

    4. I created a rule called 'root with EAC'
    Drag the command, group and imported script to this rule. Set the run
    user as 'root'. Authorize=Yes and Session Capture=Yes.

    5. Select the Rule, from the left nav, select 'Script Arguments' and
    add the following:

    Name: policy
    Value: path default all:log
    path /data/hr/** !all:log=9

    Once done, the Pseudocode of the rule should look like the following:

    Begin Rule: root with EAC
    If ((command IN EAC as root) AND (user IN sshadmins))
    Then
    Set Authorize: yes
    Set Session Capture: yes
    Set runUser = "root"
    Run Script: Enhanced Access Control Policy(policy:path default
    all:logpath /data/hr/** !all:log=9)
    Stop if authorized
    End If
    End Rule: root with EAC

    User experience:

    1. Login as brett and become root by typing 'usrun eacroot'
    2. Change to /data/, notice the 'hr' folder show's all questions marks
    (Enhanced Access Control Policy does not allow the user to know about
    the Folder properties)
    3. Attempt to change into the 'hr' folder - get permission denied.

    brett@bberger5:~> usrun eacroot
    bberger5:/home/brett # whoami
    root
    bberger5:/data # echo $SHELL
    /bin/bash
    bberger5:/home/brett # cd /data
    bberger5:/data # ls -hal
    ls: cannot access hr: Permission denied
    total 8.0K
    drwxr-xr-x 3 root root 4.0K Sep 5 14:10 .
    drwxr-xr-x 25 root root 4.0K Sep 13 10:25 ..
    d????????? ? ? ? ? ? hr
    bberger5:/data # cd hr
    bash: cd: hr: Permission denied
    bberger5:/data #

    I sure hope this helps you.

    -Brett





    saqibfarooq87;231956 Wrote:
    > Hi,
    >
    > I am new to the NPUM and I have a querry.
    >
    > I have users in /bin/bash login shell and I want to restrict them to
    > access a folder. Is it possible to do so by using novell priviledged
    > user manager.
    >
    > If yes can you guide me the way to do so.
    >
    > Thanks in Advance for your help.
    >
    > Best Regards,
    >
    > Saqib Farooq



    --
    deni
    ------------------------------------------------------------------------
    deni's Profile: https://forums.netiq.com/member.php?userid=1793
    View this thread: https://forums.netiq.com/showthread.php?t=48270