-
1. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 11, 2012 7:36 AM
In 8.1 you can restrict access via NSH w/ the ‘NSH_PROXY.Connect’ Authorization. If they are not granted that in their role and the nsh proxy is setup and the agent acls are setup correctly, not having that permission will prevent them from accessing servers via nsh.
-
2. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Actually here we want to restrict users within NSH proxy connect where some roles should not be having rights for cd
___
Cheers…
Soundappan Shanmugam
HP: +91 9711156098
-
3. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 11, 2012 8:16 AM
Then modify their roles to contain all the Command Authorizations except for CD.
-
4. Restrict user from running cd //<ip address of other machine> through nsh prompt
CD is not available in the NSH Command List..
Even if we don't assign any command or any authorization to roles.. they are able to CD to other machine using NSH
-
5. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 11, 2012 8:41 AM
I’m not sure I understand this use case – you don’t want them to be able to cd, but they can run other commands against the target systems over nsh ? dis-allowing CD doesn’t really do much in that case if I can still run ‘ls’ or rm.
-
6. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
In fact, I want restricted users to only be able to monitor services. They must not be able to rm, cd, ren or any command that modifies system settings.
-
7. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 11, 2012 9:05 AM
Cd does not modify anything. it’s read-only.
How will they monitor services via nsh? what commands ?
-
8. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Commands like nmem, nps, ntf etc. can be used for monitoring servers. Like following
nshprompt# nps <ip of other machine
-
9. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 11, 2012 9:13 AM
Yeah – so cd is read-only. so is there an issue allowing that ?
You can also just make them have ro access instead of rw in the role configuration.
-
10. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
In fact if we don’t restrict.. Unprivileged users (those only supposed for monitoring) can do following:
nsh
cd //<ip address of other machine>
ls
rm filename
ren filename
If cd command is restricted, Unprivileged users can still do monitoring.. using nps <ip address>
Even if we don’t add above commands in role configuration.. or add nothing.. Still unprivileged users are able to delete, rename, and list files/folders. It seems that, this job is not possible using RBACK Role. I think, there is a hope doing that, using exports file in rsc folder. But how?
-
11. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Moreover even I gave read only access in xx.xxx.xx.12 machine using users file in rsc folder. Still we unprivileged users are able to delete their files/folders.
Following setting is there in users file in xx.xxx.xx.12 machine..
NSH ONLY:NSH ro,map=Administrator,commands=CM:agentinfo:awk:egrep:grep:head:hostname:ls:nsh:tail:uname:update:view:nexec:ifconfig:iostat:ipconfig:nbtstat:netstat:ps
Where: NSH is a user, NSH ONLY is Autorization Profile
-
12. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 14, 2012 9:58 AM
So this is working or you still have an issue?
If you have restricted the commands to a limited set, users should not be able to run rm, etc.
-
13. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
But it still is not working ☹
___
Cheers…
Soundappan Shanmugam
HP: +91 9711156098
-
14. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill Robinson
May 14, 2012 10:05 AM
What is not working ?
When it does not work, can you look in the rscd.log and find the corresponding entries and see what user the client is coming in as and confirm it’s mapped correctly ?