-
1. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 11, 2012 7:36 AM (in response to wali NameToUpdate)
In 8.1 you can restrict access via NSH w/ the ‘NSH_PROXY.Connect’ Authorization. If they are not granted that in their role and the nsh proxy is setup and the agent acls are setup correctly, not having that permission will prevent them from accessing servers via nsh.
-
2. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Soundappan Shanmugam May 11, 2012 7:44 AM (in response to Bill Robinson)Actually here we want to restrict users within NSH proxy connect where some roles should not be having rights for cd
___
Cheers…
Soundappan Shanmugam
HP: +91 9711156098
-
3. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 11, 2012 8:16 AM (in response to Soundappan Shanmugam)
Then modify their roles to contain all the Command Authorizations except for CD.
-
4. Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 11, 2012 8:23 AM (in response to Bill Robinson)CD is not available in the NSH Command List..
Even if we don't assign any command or any authorization to roles.. they are able to CD to other machine using NSH
-
5. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 11, 2012 8:41 AM (in response to wali NameToUpdate)
I’m not sure I understand this use case – you don’t want them to be able to cd, but they can run other commands against the target systems over nsh ? dis-allowing CD doesn’t really do much in that case if I can still run ‘ls’ or rm.
-
6. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 11, 2012 8:59 AM (in response to Bill Robinson)In fact, I want restricted users to only be able to monitor services. They must not be able to rm, cd, ren or any command that modifies system settings.
-
7. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 11, 2012 9:05 AM (in response to wali NameToUpdate)
Cd does not modify anything. it’s read-only.
How will they monitor services via nsh? what commands ?
-
8. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 11, 2012 9:10 AM (in response to Bill Robinson)Commands like nmem, nps, ntf etc. can be used for monitoring servers. Like following
nshprompt# nps <ip of other machine
-
9. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 11, 2012 9:13 AM (in response to wali NameToUpdate)
Yeah – so cd is read-only. so is there an issue allowing that ?
You can also just make them have ro access instead of rw in the role configuration.
-
10. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 14, 2012 1:43 AM (in response to Bill Robinson)In fact if we don’t restrict.. Unprivileged users (those only supposed for monitoring) can do following:
nsh
cd //<ip address of other machine>
ls
rm filename
ren filename
If cd command is restricted, Unprivileged users can still do monitoring.. using nps <ip address>
Even if we don’t add above commands in role configuration.. or add nothing.. Still unprivileged users are able to delete, rename, and list files/folders. It seems that, this job is not possible using RBACK Role. I think, there is a hope doing that, using exports file in rsc folder. But how?
-
11. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 14, 2012 2:04 AM (in response to Bill Robinson)Moreover even I gave read only access in xx.xxx.xx.12 machine using users file in rsc folder. Still we unprivileged users are able to delete their files/folders.
Following setting is there in users file in xx.xxx.xx.12 machine..
NSH ONLY:NSH ro,map=Administrator,commands=CM:agentinfo:awk:egrep:grep:head:hostname:ls:nsh:tail:uname:update:view:nexec:ifconfig:iostat:ipconfig:nbtstat:netstat:ps
Where: NSH is a user, NSH ONLY is Autorization Profile
-
12. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 14, 2012 9:58 AM (in response to wali NameToUpdate)
So this is working or you still have an issue?
If you have restricted the commands to a limited set, users should not be able to run rm, etc.
-
13. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Soundappan Shanmugam May 14, 2012 10:00 AM (in response to Bill Robinson)But it still is not working ☹
___
Cheers…
Soundappan Shanmugam
HP: +91 9711156098
-
14. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 14, 2012 10:05 AM (in response to Soundappan Shanmugam)
What is not working ?
When it does not work, can you look in the rscd.log and find the corresponding entries and see what user the client is coming in as and confirm it’s mapped correctly ?