4 Replies Latest reply on Jun 29, 2011 3:47 AM by Eddie Lim

    Locking down NSH

      Hello all,


      Sorry if this has been repeated elsewhere but couldn't find anything relevant.


      I've been tasked to provide a read only solution for a set of users in being able to read ALL files on a server and occasionally copy log files to their local desktops for deeper analysis (just created a simple custom command for users to do this)


      Providing users and roles within BLCM with read only access is obviously easy, but the trouble I have is when attempting to lock down the NSH access they have. Each of our agents by default are mapped to the local admin account, which means a read only user within NSH simply types;


      nexec -e su


      and they now have local admin rights.


      Well, just create a unique user on those boxes that doesn't have root privileges I hear someone say?


      The issue is, this role needs to be able to access ALL files in a read only fashion. So on unix boxes we'll hit the issue of this role not being able to access files that are not 'world readable'.




      1) does someone have another suggested solution to the requirements?

      2) is there a way to NOT allow users to use the nexec command within NSH? this would stop users from sudo'ing as root right?


      BL 7.6


      Any help would be muchly appreciated,


        • 1. Locking down NSH
          Bill Robinson

          in the role's options check the 'read-only' radio button on the 'agent acl' tab.


          then push acls.


          they will still map to root, but they won't be able to do anything on the file system.

          • 2. Locking down NSH

            Hi Bill,


            Should have actually added that, but that was already selected and hence the confusion...


            the ACL on this test server is basically:


            Testrole:elim     ro,map=root


            So I jump on to the test server in question, head to /tmp and there's a file in there:


            -rw------- 1 root   root       0 Jun 28 16:42 randomfile


            simply nexec -e su, in as root, and i'm able to do anything to the file i.e. change it's name and contents, basically modifying it. Should this not be happening if the user and role is mapped as 'ro' to root? Or am I missing something blindingly obvious here? :S


            Thanks in advance!


            • 3. Locking down NSH
              Bill Robinson

              ah - so you may want to apply some of the command authorizations to the role to limit what commands they can run - specifically prevent them from running any nexec commands they don't need to.

              • 4. Locking down NSH

                Hi Bill,


                Right, didn't know you had to literally copy across ALL the nsh permissions minus the nexec command. Was initially confused since the generic Authorizations such as server.read gave users access to all the nsh commands in the 1st place. Was initially looking for an "exclude" option when transferring across as a selected authorization.


                This now works pretty sweet, thanks for the help on this one