Anonymous_User Absent Member.
Absent Member.
447 views

Change the Shell


Hi,

I am new to the NPUM and I have a querry.

I have users in /bin/bash login shell and I want to restrict them to
access a folder. Is it possible to do so by using novell priviledged
user manager.

If yes can you guide me the way to do so.

Thanks in Advance for your help.

Best Regards,

Saqib Farooq


--
saqibfarooq87
------------------------------------------------------------------------
saqibfarooq87's Profile: https://forums.netiq.com/member.php?userid=5544
View this thread: https://forums.netiq.com/showthread.php?t=48270

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Change the Shell


Saqib,

Sorry for the late reply. If you haven't solved the problem already,
PUM can do what you are asking and here is how.

With PUM (using a script called Enhanced Access Control) you can have a
user become root, yet not allow access a particular directory (ex:
/data/hr)

I'm assuming you want users to login with their normal account, then
become root, but limit the filesystem as root. If so, here is how I did
it.


1. I created a "command" called 'EAC as root' and it looks like this:
Rewrite: /bin/bash
Command: eacroot

2. I created a group called 'sshadmins' and made 'brett' a member of
that group.

3. Import the 'Enhanced Access Control Policy' script available from the
embedded samples. (Command Control | Import Samples|Sample Perl Script
| Enhanced Access Control Policy |Finish)

4. I created a rule called 'root with EAC'
Drag the command, group and imported script to this rule. Set the run
user as 'root'. Authorize=Yes and Session Capture=Yes.

5. Select the Rule, from the left nav, select 'Script Arguments' and
add the following:

Name: policy
Value: path default all:log
path /data/hr/** !all:log=9

Once done, the Pseudocode of the rule should look like the following:

Begin Rule: root with EAC
If ((command IN EAC as root) AND (user IN sshadmins))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/hr/** !all:log=9)
Stop if authorized
End If
End Rule: root with EAC

User experience:

1. Login as brett and become root by typing 'usrun eacroot'
2. Change to /data/, notice the 'hr' folder show's all questions marks
(Enhanced Access Control Policy does not allow the user to know about
the Folder properties)
3. Attempt to change into the 'hr' folder - get permission denied.

brett@bberger5:~> usrun eacroot
bberger5:/home/brett # whoami
root
bberger5:/data # echo $SHELL
/bin/bash
bberger5:/home/brett # cd /data
bberger5:/data # ls -hal
ls: cannot access hr: Permission denied
total 8.0K
drwxr-xr-x 3 root root 4.0K Sep 5 14:10 .
drwxr-xr-x 25 root root 4.0K Sep 13 10:25 ..
d????????? ? ? ? ? ? hr
bberger5:/data # cd hr
bash: cd: hr: Permission denied
bberger5:/data #

I sure hope this helps you.

-Brett





saqibfarooq87;231956 Wrote:
> Hi,
>
> I am new to the NPUM and I have a querry.
>
> I have users in /bin/bash login shell and I want to restrict them to
> access a folder. Is it possible to do so by using novell priviledged
> user manager.
>
> If yes can you guide me the way to do so.
>
> Thanks in Advance for your help.
>
> Best Regards,
>
> Saqib Farooq



--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=48270

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.