Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Restricting Users access to Terminal Commands

Restricting Users access to Terminal Commands
Thread Tools
BostonMACOSX
Forum Regular
Join Date: Nov 2000
Location: Boston Area,ma
Status: Offline
Reply With Quote
Jan 30, 2003, 12:05 AM
 
Was wondering if it was possible to limit access to certain shell commands when a user logs in. Basically the scenario is that we have a non-admin user who needs to telnet, but we don't want them to be able to execute other commands other than FTP and TELNET from the Terminal.app

Thanks
BostonMACOSX
OSX ...Plastic surgery for unix
Boston Area Consulting
http://rjhcc.dyndns.biz
http://bostonmacosx.dyndns.org
     
wadesworld
Grizzled Veteran
Join Date: Apr 2001
Status: Offline
Reply With Quote
Jan 30, 2003, 01:11 AM
 
The first question is - why not? If they're just a normal user, they can't hurt anything.

You can copy the binaries you want to a special bin directory and then chroot'ing to that directory.

Or you could see if you can get a special shell like Flash to compile:

http://www.netsoc.ucd.ie/flash/

However, the thing to remember is there's no perfect way to solve that. Don't want them to run gcc for example? They'll just use ftp to download it for themselves.

Wade
     
trusted_content
Dedicated MacNNer
Join Date: Nov 2002
Status: Offline
Reply With Quote
Jan 31, 2003, 12:31 AM
 
All thats really necessary is to set permissions on individual commands.

Par example,

Will down the hall chmod'ed "mv" cause I kept logging in and using the infamous parent directory bug to kernel panic his box ;]
I offer strictly b2b web-based server-side enterprise solutions for growing e-business trusted content providers ;]
     
Gary Kerbaugh
Dedicated MacNNer
Join Date: Jul 2001
Location: NC
Status: Offline
Reply With Quote
Feb 1, 2003, 12:11 AM
 
   These are just a thoughts based on previous posts and can be defeated by a determined and adept user. Limit execute permissions of all shells to owner and group. If the group is admin, that may be more restrictive than you want. You could create a new group, assign all shells to that group and also add to that group all users you wish to have shell privileges.
   You could also change the com.apple.Terminal.plist of every user you don't want to have terminal access. Change it so that the Terminal executes "exit" when a new Terminal window is opened. Then lock it and change it's ownership to root. I can defeat this on my machine but it may be because I'm the admin user. The Finder "Get Info" window won't change it. (at least I don't know how to do it) Hopefully, many users won't know how to defeat it.
   As I said, I doubt any of these measures are bullet proof but they should slow many, if not most, users. Of course, if someone did these things to me, I wouldn't sleep until I had defeated them.
Gary
A computer scientist is someone who, when told to "Go to Hell", sees the
"go to", rather than the destination, as harmful.
     
Angus_D
Addicted to MacNN
Join Date: Mar 2000
Location: London, UK
Status: Offline
Reply With Quote
Feb 1, 2003, 05:22 AM
 
You could probably make their home dir a chroot'd jail with only a few commands, couldn't you?
     
butter71
Forum Regular
Join Date: Mar 2001
Status: Offline
Reply With Quote
Feb 1, 2003, 04:39 PM
 
Originally posted by Angus_D:
You could probably make their home dir a chroot'd jail with only a few commands, couldn't you?
if the user is allowed to still run aqua, then i don't think you could. at least not without lots of duplication of directory hierarchies.

if you want a strictly command line user who either logs in as a non-graphical user or connects across the network, you can just change their shell to a restricted one like the examples above.
     
off/lang
Forum Regular
Join Date: Nov 2002
Location: PVD/MSP
Status: Offline
Reply With Quote
Feb 1, 2003, 08:23 PM
 
If the user is just a local user, you can change their shell to /noshell thus disallowing them terminal access. You could then just download a GUI ftp program like fetch and a GUI telnet.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:45 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,