LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Secured Login (https://www.linuxquestions.org/questions/linux-newbie-8/secured-login-327565/)

bharaniks 05-27-2005 02:01 AM
Secured Login
 
Hi,

How can i make a secure login where any of the linux commands should
not work except some of two scripts in /usr/bin/SCRIPT1 and SCRIPT2.

Once the user logs in then he should not access any of the linux commands
or commands used on command prompt or even to view it.

Please help me to make this done :-)

oneandoneis2 05-27-2005 03:06 AM
Is this a specific user who can only use those two commands, or any normal user who's logged in securely?

If the former, it's dead easy: Create a new group, called "secure" or some such.

Transfer ownership of the two scripts to the group "secure"

Then create a new user, and only allow him to access files owned by the "secure" group.

Simple as that, you have a user who can only execute the desired two commands.

bharaniks 05-27-2005 04:47 AM
Hi oneandoneis2,

Thanks for your posting.

See now if i make a scenario as mentioned, the user can execute the two files, that's fine.

But that scripts contains passwords which should be confidential and should not be viewed
by the particular user, where he should have a execute permission alone for the two files.
Then also the specified user can use the default editors and viewers.

Now if we block all the commands then the user can alone execute both the scripts.
Example blocking of all the editors, viewers etc., used in Linux.

Or i had witten a script on the users .bashrc file in which the user can do all the process in a loop.
But if the user presses Ctrl+C then he can return to the prompt, Is there any option to solve this
by restricting the user to come to CLI prompt. Once the user press Ctrl+C then the telnet console
should be closed.

If any options please let me know.

oneandoneis2 05-27-2005 07:49 AM
Quote:
But that scripts contains passwords which should be confidential and should not be viewed by the particular user, where he should have a execute permission alone for the two files.
Then also the specified user can use the default editors and viewers.
Uh.. no. The user will NOT be able to view the file contents, as he won't have permission to use any of the text editors. He wouldn't be able to cat, grep, vim, nano, emacs, more, less, or anything else. He will be able to execute the files, nothing else.

That's the whole point of only giving him access to the "secure" group's files. Unless your permissions for your executables are screwy (i.e. world-executable), he should be unable to use them.

You could also set the script permissions to --x, which would prevent him from reading the files even if he DID manage to find a way to use a text editor.

bharaniks 05-30-2005 12:30 AM
Hi Oneandoneis2

Nice to see your reply, but if i'm creating a new group say in the name "secure"
the files @ /usr/bin/* will all be having a third permission "rwx-rwx-r-x".

Where in this if you create a new group named "secure" then it will be considered
as the third permissions such as "READ" and "EXECUTE" where even the user at group
"secure" can use the files as they all have a read and execute permission of "OTHERS"

So changing the files @ path /usr/bin/* to "rwx-rwx---x" is impossible as some system calls will
be in these files, am i correct. And also for your kind info if you change the permission of a file
to execute alone then it cannot be executed as the file should be readable for execution.

Is there any other options ? if so kindly send it to me :-) Once again Thank you for Intiative taken.


All times are GMT -5. The time now is 09:55 AM.