Anonymous_User Absent Member.
Absent Member.
847 views

unable to login from the login window who's shell cpcksh


Hi Novell

I am unable to login with the user's who's login shell is
'/usr/bin/cpcksh'.
When i logged in from riz who's loggin shell is '/usr/bin/cpcksh' from
the command line its ok there is no problem with that.
like when i logged in from the su command.

[root@Prum Desktop]# su - riz
path default all:log
path /data/private/** !all:log=9

[riz@Prum ~]$ cd /data
[riz@Prum data]$ ls
ls: cannot access private: Permission denied
private
[riz@Prum data]$

But i am unable to login with the user who's login shell is
'/usr/bin/cpcksh' from the login window
for example,
Go to system->log out root->log out
and then try to login from login window with the user who's login shell
is '/usr/bin/cpcksh'
i am unable to login from there.

Thu Feb 14 18:20:22 2013, 508, 1742722816, 2627, Info, cmdctrl request
denied for 'cpcksh -c gnome-session' from riz@prum
Thu Feb 14 18:20:22 2013, 522, 1742722816, 2627, Info, cmdctrl checkAuth
client:prum rc:0 status:0 (15ms)

I found these two lines from the unifid.log file. When i was try to
login from the login window.

I have some question sorry for the inconvenience as i am the beginner
user of that product.

1. Is there any rule required to login from the login window. ?
2. I have tried these things using the user who's login shell is
'/usr/bin/pcksh' with the same way as i try with cpcksh login shell but
i cant achieve this through pcksh login shell ?
3. If it is possible with pcksh login shell then what will be the
command for pcksh login shell ?

Thanks in advance
Best Regards
Rizwan Ahmed


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: unable to login from the login window who's shell cpcksh


Rizah,

Command Control does exactly what you tell it to do. Commands are
submitted to Command Control, we go through the rules top to bottom and
we either Match or don't. If we match, we do what the rule says we can
do, for example - Authorize and/or run as a particular user. However if
we go through all the rules and we don't match, then Command Control is
going to deny the submitted command.

In your case, the command that is being sent to Command Control is a
little different than what you have allowed within your rules. The best
way to see this is by going into Home | Reporting and looking at
'command' to see what was actually submitted to Command Control.

For example. Your rule says:

Begin Rule: cpcksh
If ((command IN Cpcksh shell login))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: cpcksh

Where the command 'Cpcksh shell login' has the following commands:
-cpcksh
-crush

In this case you've allowed the above two command and two commands only.


If you look in Home | Reporting - you should see that when a command is
successful, it shows that the command submitted to Command Control was
'-cpcksh' (It matched the rule.)

You will also notice that when you login from the GUI, you get the
following in the unifid.log

Info, cmdctrl request denied for 'cpcksh -c gnome-session' from
riz@prum

The submitted command to Command Control was 'cpcksh -c gnome-session'
and does NOT match '-cpcksh'

Since your rule only allows '-cpcksh' or '-crush' then 'cpcksh -c
gnome-session' does NOT match your configured Rule and Commands and
therefore denies the command that was submitted. (as it should).

The easiest answer is to add 'cpcksh -c gnome-session' to the command
'Cpcksh shell login'

You could also add 'cpcksh *' which would match cpcksh and then anything
afterwards.

When things are being denied, look in Home | Reporting to see what the
command that was submitted and see if it happens to match any of your
configured rules.

Hope this helps.

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: unable to login from the login window who's shell cpcksh


Hello Brett

I have checked to add the 'cpcksh -c gnome-session'. But the problem is
the same when i logged in through the GUI i am unable to login, but the
surprising thing is that cmdctrl accept the 'cpcksh -c gnome-session'.

Here is the lines i have found in log files
Fri Feb 15 17:12:49 2013, 160, 2256475904, 2627, Info, cmdctrl request
accepted for 'cpcksh -c gnome-session' from riz@prum as riz@prum
Fri Feb 15 17:12:49 2013, 166, 2256475904, 2627, Info, cmdctrl checkAuth
client:prum rc:0 status:0 (14ms)
Fri Feb 15 17:12:49 2013, 186, 2220574464, 2627, Info, rexec
executeCommand client:prum rc:0 status:0() (18ms)

Is it possible to login through the GUI with the user who's login shell
is '/usr/bin/cpcksh'
If yes then please guide me what i am doing wrong.

But when i am try to login through the pcksh,
I have logged in successfully through the both ways, from the command
line as well as the gui with the user who's login shell is
'/usr/bin/pcksh'.
But that way i am unable to restrict the directory access. I have also
try to create a rule for directory access but its didnt work.
Below is the rule which i create for restrict directory access in pcksh
shell.
Begin Rule: pcksh directory limitations
If ((command IN pcksh shell login))
Then
Set Authorize: yes
Set Session Capture: yes
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: pcksh directory limitations

And command in the pcksh shell login is '-pcksh'

Is it possible to make a rule for restrict the directory access in pcksh
shell ?
If yes then what command should i use for the pcksh shell login ??

Thanks in Advance
Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: unable to login from the login window who's shell cpcksh


Rizwan,

What OS/support pack are you running? I'm assuming you are running
GNOME (based off of previous comments).

I'd like to attempt to duplicate what you are seeing.

With that being said, if someone logins with cpcksh in the GUI (and is
using EAC) - EAC will control a terminal session, but not the GUI
session, meaning that if EAC is being used to deny a particular folder,
they could access it via the GUI tools, but not from a shell.

Maybe I should take a step back and understand what you are trying to
accomplish with cpcksh (non-privileged shell) and are your users mainly
logging in to the GUI or are they strictly using ssh/terminal.

-deni


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: unable to login from the login window who's shell cpcksh


Hi Brett

Yes i am running gnome.
I want the user's who are login in with the cpcksh shell will be unable
to access the specific directory.
But now first i am login in through the root user and then switch into
the user who's login shell is cpcksh.

Like
[root@prum desktop] # su - riz
path default all:log
path /data/private/** !all:log=9

$

But normally users are login through the GUI entered their username and
password.
Because Users dont know the root password, Then how can the user login
from the cpcksh shell ?
My requirement is user should be login through the cpcksh shell because
I have made the EAC policy for the cpcksh users.

If EAC cannot be worked for the GUI Session, then how can the users
who's login shell is cpcksh be loggin if they dont know the root
password ?
Users are not restricted to login through the GUI Session , What will be
the alternative way to login for cpcksh users. ?


Last thing kindly guide me can i made the EAC policy for pcksh shell?
If yes then what command should i user for pcksh shell login ?
Because ultimately i want the users cannot access the specific directory
whatever the login shell is.

I hope you understand my problem.
Great thanks in advance

Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: unable to login from the login window who's shell cpcksh


Rizwan,

NPUM does not currently handle anything via the GUI on a Linux host. So
setting someone's shell to /usr/bin/cpcksh and then having them login to
a Linux host through the GUI is not how NPUM was originally designed to
be used.

Rizwan_ahmed;225559 Wrote:
>
> But normally users are login through the GUI entered their username and
> password.
> Because Users dont know the root password, Then how can the user login
> from the cpcksh shell ?
>


Users would ssh into the host as themselves either through a terminal on
their Linux host, or Putty (or some other similar ssh application).
For example:

ssh user@remote_host (where remote_host is where the users shell was
set to /usr/bin/pcksh)

Rizwan_ahmed;225559 Wrote:
>
> My requirement is user should be login through the cpcksh shell because
> I have made the EAC policy for the cpcksh users.
>
> If EAC cannot be worked for the GUI Session, then how can the users
> who's login shell is cpcksh be loggin if they dont know the root
> password ?
> Users are not restricted to login through the GUI Session , What will be
> the alternative way to login for cpcksh users. ?
>


EAC will not work in the GUI Session. (same answer as above - ssh
user@remove_host (where remote_host is where the users shell was set to
/usr/bin/pcksh)

cpcksh is a shell meant for monitor non-privileged users only, not
granting any additional rights. I'm not sure that cpcksh is going to
work for you if users are logging in via the GUI.


Rizwan_ahmed;225559 Wrote:
>
> Last thing kindly guide me can i made the EAC policy for pcksh shell?
> If yes then what command should i user for pcksh shell login ?
> Because ultimately i want the users cannot access the specific directory
> whatever the login shell is.
>


There is nothing special about an EAC policy. Meaning, if you create a
rule for pcksh, you add the EAC script and associated Script Arguments
as you did on other rules.

A typical pcksh rule would look like this:

Begin Rule: pcksh as root
If ((command IN pcksh) AND (user IN PrivilgedUsers))
Then
Set Authorize: yes
Set Session Capture: yes
Set runUser = "root"
Run Script: Enhanced Access Control Policy(policy:path default
all:logpath /data/private/** !all:log=9)
Stop if authorized
End If
End Rule: pcksh as root


--
deni
------------------------------------------------------------------------
deni's Profile: https://forums.netiq.com/member.php?userid=1793
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: unable to login from the login window who's shell cpcksh


Hi Brett

Thanks For your precious time and giving me a clear picture of NPUM.
Ok Now i got it .

Best Regards
Rizwan


--
Rizwan_ahmed
------------------------------------------------------------------------
Rizwan_ahmed's Profile: https://forums.netiq.com/member.php?userid=4224
View this thread: https://forums.netiq.com/showthread.php?t=46839

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.