Access Control List for Login and remote execution commands.
The plan here is to create a group that can’t execute remote commands and login commands.
The commands to acl
The following commands are identified as having the ability to login or execute remote commands.
1- telnet
2- ftp
3- rlogin
4- rsh
5- rcp
6- rexec
7- ssh
8- sftp
9- scp
Let us assume the name of the group that we want to restrict is “ibmgr”
Here at the steps to do the above.
1- Login as root to the identified server.
2- Identified the command to restrict “ex: which telnet”
3- Set your editor. #export EDITOR=/usr/bin/vi
4- Keep a history of the original acl of the command “ex: aclget /usr/bin/telnet > /tmp/telnet_acl.out
The original output appears as follows.
#aclget /usr/bin/telnet
attributes: SUID
base permissions
owner(root): r-x
group(system): r-x
others: r-x
extended permissions
disabled
5- To enable acl, type the command acledit “ex: acledit /usr/bin/telnet
6- In your vi editor change to the following:
#acledit /usr/bin/telnet
attributes: SUID
base permissions
owner(root): r-x
group(system): r-x
others: r-x
extended permissions
enabled
deny r-- g:ibmgr
7- Save your file.
You will be prompted to with the following text
Should the modified ACL be applied? (yes) or (no)
Type yes if you are satisfied with the changes
8- The command #aclget /usr/bin/telnet should show the new settings.
The same will have to be done for each of the above mentioned commands.