|
|
Restricting Users access to Terminal Commands
|
|
|
|
Forum Regular
Join Date: Nov 2000
Location: Boston Area,ma
Status:
Offline
|
|
Was wondering if it was possible to limit access to certain shell commands when a user logs in. Basically the scenario is that we have a non-admin user who needs to telnet, but we don't want them to be able to execute other commands other than FTP and TELNET from the Terminal.app
Thanks
BostonMACOSX
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Apr 2001
Status:
Offline
|
|
The first question is - why not? If they're just a normal user, they can't hurt anything.
You can copy the binaries you want to a special bin directory and then chroot'ing to that directory.
Or you could see if you can get a special shell like Flash to compile:
http://www.netsoc.ucd.ie/flash/
However, the thing to remember is there's no perfect way to solve that. Don't want them to run gcc for example? They'll just use ftp to download it for themselves.
Wade
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Nov 2002
Status:
Offline
|
|
All thats really necessary is to set permissions on individual commands.
Par example,
Will down the hall chmod'ed "mv" cause I kept logging in and using the infamous parent directory bug to kernel panic his box ;]
|
I offer strictly b2b web-based server-side enterprise solutions for growing e-business trusted content providers ;]
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2001
Location: NC
Status:
Offline
|
|
These are just a thoughts based on previous posts and can be defeated by a determined and adept user. Limit execute permissions of all shells to owner and group. If the group is admin, that may be more restrictive than you want. You could create a new group, assign all shells to that group and also add to that group all users you wish to have shell privileges.
You could also change the com.apple.Terminal.plist of every user you don't want to have terminal access. Change it so that the Terminal executes "exit" when a new Terminal window is opened. Then lock it and change it's ownership to root. I can defeat this on my machine but it may be because I'm the admin user. The Finder "Get Info" window won't change it. (at least I don't know how to do it) Hopefully, many users won't know how to defeat it.
As I said, I doubt any of these measures are bullet proof but they should slow many, if not most, users. Of course, if someone did these things to me, I wouldn't sleep until I had defeated them.
|
Gary
A computer scientist is someone who, when told to "Go to Hell", sees the
"go to", rather than the destination, as harmful.
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Mar 2000
Location: London, UK
Status:
Offline
|
|
You could probably make their home dir a chroot'd jail with only a few commands, couldn't you?
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Mar 2001
Status:
Offline
|
|
Originally posted by Angus_D:
You could probably make their home dir a chroot'd jail with only a few commands, couldn't you?
if the user is allowed to still run aqua, then i don't think you could. at least not without lots of duplication of directory hierarchies.
if you want a strictly command line user who either logs in as a non-graphical user or connects across the network, you can just change their shell to a restricted one like the examples above.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Nov 2002
Location: PVD/MSP
Status:
Offline
|
|
If the user is just a local user, you can change their shell to /noshell thus disallowing them terminal access. You could then just download a GUI ftp program like fetch and a GUI telnet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|