[SOLVED] restrict a user to certain command

vikas027 · 03-07-2008, 04:43 AM

Hi all,

I am using Sun OS 5.10. I am new to Unix.

Is there some way to restrict a specific user to certain command say "/usr/bin/more" ??
for example: I want that user1 can execute more command & user2 can't.

Can we somehow edit .profile file in the home directory of user to achieve this ??
OR
is there some other way ??

Pls help.

Thanks N Regards,
VIKAS

jschiwal · 03-07-2008, 05:26 AM

Does Sun have acl's and does the filesystem support them?

In Linux I would use: sudo setfacl -m u:<usesname>:000 /usr/bin/more

You couldn't allow reading either because then the use could simply copy the command to ~/bin/.

jlliagre · 03-07-2008, 05:47 AM

Yes, Solaris supports POSIX draft ACLs on ufs since 2.5 (1996). There is also NFSv4 ACLs support with ZFS.

Alternatively, you use RBAC (role based access control) to limit or expand what users are allowed to do under Solaris.

vikas027 · 03-07-2008, 11:23 PM

Quote:

Originally Posted by jschiwal

Does Sun have acl's and does the filesystem support them?

In Linux I would use: sudo setfacl -m u:<usesname>:000 /usr/bin/more

You couldn't allow reading either because then the use could simply copy the command to ~/bin/.

Hi jschiwal,

Code:

setfacl -m u:user2:000 /usr/bin/more

is giving error

"Unrecognized character found in mode field"

Pls help !!

jschiwal · 03-08-2008, 03:28 AM

Try a single dash instead of 000. I wasn't sure how to indicate that all the permissions should be cleared and 000 worked.
According the the manpage for my version of setfacl, the perm field can be an octal number.

jlliagre · 03-08-2008, 03:58 AM

Code:

setfacl -r -m u:user2:--- /usr/bin/more

A single 0 works too.