My original post was:
> I intend to allow execution of few x-client programs only to user sitting
> at console. All other should not be able to run those x-clients. The
> user at console may be anyone having account on the machine. How to do this?
I got many responses. Thanks to all of them.
I have decided on following script which gets invoked instead of program:
#!/usr/bin/sh
ConsoleUser=`who | grep console | awk '{print $1}'`
eval `/usr/bin/id $ConsoleUser | /usr/bin/sed 's/[^a-z0-9=].*//'`
ConsoleUser=$uid
eval `/usr/bin/id | /usr/bin/sed 's/[^a-z0-9=].*//'`
echo "$ConsoleUser $uid"
if [ "$uid" != "$ConsoleUser" ]; then
echo You may not run the program;
else
echo;
#run the command here;
fi
-------------------------------------------------------------------------------
The responses are.
Jochen Bern <bern@penthesilea.uni-trier.de>:
Pretty hard, if not impossible. Taking xlock (more precisely: xlockmore)
as an Example, unless you have Shadow Passwords, you can compile it
yourself (and even *if* there are Shadow Passwords, you can use it
non-suid by specifying a Password on the Command Line if need be),
so you'ld have to go as far as denying Compilers, ftp, rcp, scp etc.
etc. to prevent Users from avoiding your Countermeasures ...
Why would you want to restrict Access to xlock in the first Place?
The X11 inherent Authorization Mechanism should ascertain that noone
can run it against other People's X11 $DISPLAYs, and if the Problem is
that Users block Workplaces by xlock'ing them, there are xlock
Variants (e.g., again, xlockmore) where you can specify that Users
be logged out automatically or by other Users' Intervention if the
xlock persists longer than a given Time.
anders@hmi.de (Thomas Anders)
The console user probably should restrict access to the local X server.
See xhost and xauth manpage.
If you allow them to login, they can start whatever they want, e.g.
by copying the application binary to /tmp, chmod 755 and start it.
Or get it by ftp, copy it to /tmp and execute. No way around.
Why not *teach* them your policy?
Taco Hettema <tacoh@gv-nmc.unisource.nl>
with "xhost -", you disallow any x-access from clients.
Amjad Zamil <amjadz@sts.com.jo>
I know an indirect way to do it :
write a script file that checks for the term id and depending on term id it
executes xlock ( or other file )
Petri Kallberg - Sun Finland - <Petri.Kallberg@Finland.Sun.COM>
If your are using CDE, XDM or similar you could modify your startup
scripts (which are run with root permissions) to do things you want.
Take a look at /usr/dt/config. There scripts like Xsetup, Xstartup and
Xreset (or in case of xdm /usr/lib/X11/xdm/TakeConsole and GiveConsole).
By modifying those you can run any command (like chmod) as root as
user logs in (or out) from system console. See comments at begining
of file to see which file to modify.
Daniel Ellis <dellis@frycomm.com>
What about writing a wrapper for these programs that checks if the user
is on console before executing?
Brent Parish <bparish@pfn.com>
I hope someone gives you a better workaround, cause this one is ugly:
Rename the X utilities to be affected.
Write scripts to replace the X utilities.
1) The script determines if user is one console.
2) If yes, calls appropriate X utility.
3) If no, warns user.
4) Script resides under /usr/openwin/bin, as name of replaced X
utility it calls.
i.e.:
This script is called xlock:
#!/bin/csh
if (`tty` == "/dev/console") then
/usr/openwin/bin/xlock
else
echo 'You are not on the console\!'
endif
"Robert G. Ferrell" <rferrell@usgs.gov>
One way would be to rename the executables of the programs in question and
call instead a shell or Perl script (world-executable but read/write only
by root; i.e., 711) that checks to see if tty=console. If not, it dumps
them back to the command line.
#!/bin/sh
if w | grep console >/dev/null 2>&1
then
/usr/openwin/bin/xlock.exec
else
echo "You must be at the console to run this program"
fi
poffen@San-Jose.ate.slb.com (Russ Poffenberger)
I don't think this is strictly possible. You can restrict based on user, group
or other permissions, but this has nothing to do with whether he is sitting at
the console or not.
About all you can do is restrict where the client can display. If there is no
permission to display, then the client won't run.
One possibility is to remove the "xhost" command, so users cannot authorize
clients from other machines to display, thus they will be limited to
displaying
on their local login console. If you need to grant access from certain
machines,
you can hard code access using the file /etc/X0.hosts (see the xhost man
page).
"Kevin P. Inscoe" <kinscoe@cbis.com>
Maybe a wrapper in C that says something like if source-terminal !=
/dev/console
then exit else run /usr/X11/bin/saved/xlock
with /saved being owned by root and chmod 500.
Then make this C program suid root...
Only thing I can come up with...
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:37 CDT