-
30. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 17, 2012 7:39 AM (in response to Rohit Nayyar)
because you don't have a 'nouser' line in the users file other user mapping may be happening here.
can you also send the users.local and exports files?
and how are you launching nsh here to test this ?
-
31. Restrict user from running cd //<ip address of other machine> through nsh prompt
Rohit Nayyar May 17, 2012 7:44 AM (in response to Bill Robinson)Yes, that is the case here
Also seems like there are not using NSH here, but NSH from a client
The best way to secure should be use of NSH proxy.
-
32. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Soundappan Shanmugam May 17, 2012 8:18 AM (in response to Rohit Nayyar)Yes
___
Cheers…
Soundappan Shanmugam
HP: +91 9711156098
-
33. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 17, 2012 8:31 AM (in response to Rohit Nayyar)Yes NSH Only is name of the Role.
-
34. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 17, 2012 8:37 AM (in response to Bill Robinson)I added nouser entry in the users file (on x.x.x12) machine.. now using NSH Here.. unprivileged user is not able to cd //x.x.x.12 …
But Now my monitoring Commands like nmem, nps, ndf etc. that unprivileged users is supposed to run is not running..
nshprompt# nps <ip of other machine
-
users 1.2 K
-
users.local 488 bytes
-
exports 311 bytes
-
-
35. Restrict user from running cd //<ip address of other machine> through nsh prompt
Rohit Nayyar May 17, 2012 8:40 AM (in response to wali NameToUpdate)Because u r not using NSH proxy and the fact that the nouser flag is swicthed off,
the mapping which is happening is letting to be mapped as rw as specified in exports file
Switch on the nouser flag.
or
Change exports to ro.
and try again
For security, I will strongly recommed to use NSH proxy so that all NSH client go through authentication, and wll use a role whicih can be controlled well
-
36. Restrict user from running cd //<ip address of other machine> through nsh prompt
Rohit Nayyar May 17, 2012 8:45 AM (in response to wali NameToUpdate)1 of 1 people found this helpfulU r running from NSH Client and not doing an NSH here ?
on the client NSHm say id
and see what user is running NSH
Worst case to implement this will be to mae an entry in users.local for
<local user id> ro,map=Administrator,commands=CM:agentinfo:awk:egrep:grep:head:hostname:ls:nsh:tail:uname:update:view:nexec:ifconfig:iostat:ipconfig:nbtstat:netstat:ps
Try this
Best is to use NSH proxy and give only the NSH Only role, which shld also be default nsh role for this user
-
37. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 17, 2012 9:23 AM (in response to Rohit Nayyar)Unprivileged users are monitoring users they are supposed to do monitoring,,, but not cd, rm, cat, mkdir etc… they must not change system settings.
-
38. Restrict user from running cd //<ip address of other machine> through nsh prompt
Rohit Nayyar May 17, 2012 9:28 AM (in response to wali NameToUpdate)How r u running this as NSH here from the GUI ?
-
39. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 17, 2012 9:41 AM (in response to Rohit Nayyar)Yes from GUI…
-
40. Restrict user from running cd //<ip address of other machine> through nsh prompt
Rohit Nayyar May 17, 2012 9:45 AM (in response to wali NameToUpdate)When u execute command
id
what is the output ?
-
41. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 17, 2012 10:24 AM (in response to Rohit Nayyar)I am doing NSH Here from 146 machine..
cid:image001.png@01CD3463.C4E52290
cid:image002.png@01CD3463.C4E52290
But I want my monitoring command to run.. (nps 10.98.241.12)
-
image002.png 27.0 K
-
image001.png 22.9 K
-
-
42. Re: Restrict user from running cd //<ip address of other machine> through nsh prompt
Bill RobinsonMay 17, 2012 5:55 PM (in response to wali NameToUpdate)
1 of 1 people found this helpfulI think there is some confusion about how nsh works.
if you do not have the nsh proxy configured:
-> if you run nsh from the command line, or the start menu, when you try to contact a remote host, nsh will send across your OS username to the target. if there is a mapping entry for * or for your actual user name like 'BILL rw,map=root' then you will get access to the target. if there is no mapping entry then you will not get any access.
-> if you run nsh from 'nsh here' you will send across your BSA role:user combination, and the agent will look for a mapping entry for role:user in the rsc files. if one is found, you get access, if none is found you don't get access.
-> when you run 'nsh here' the role that is used is the default NSH Role.
if you have the nsh proxy setup and you have your nsh client configured to use the nsh proxy, you will need to use blcred to get credentials, or check the 'cache session credentials' box on the gui login. then you will send across your BSA role:user to the target.
-
43. Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 18, 2012 2:34 AM (in response to Bill Robinson)Yes very true...
Ok, You mean (from last paragraph) if i run following command, before running cd //<network IP> or/and then rm or mkdir.. the cd/rm/cat will not be executed...
blcred cred -acquire -profile defaultProfile -username NSH -password nshWhere NSH = Unprivileged User and nsh = its password.
Right???
-
44. Restrict user from running cd //<ip address of other machine> through nsh prompt
wali NameToUpdate May 18, 2012 7:36 AM (in response to wali NameToUpdate)Thanks Bill,
Thanks Rohit