Using command rights in a restricted shell environment

After command rights have been defined, added to role definitions, and assigned, users can execute commands in a restricted shell environment by typing the command, including any command-line options they are allowed to use.

For example, assume you have defines a command right for shutdown -r that enables users to execute the command as the root user. If you add that right to a role definition that forces users into a restricted shell environment, users assigned to that role can execute the command by typing the following:

shutdown -r

Users can only execute the specific command rights that have been added to the role within the restricted shell environment.

Running unauthorized commands

When users are assigned to roles that require a restricted shell environment, the dzsh shell provides the subset of commands the user is allowed to run and automatically runs each allowed command as the user the command is configured to run as. If the user attempts to run a command he is not authorized to use in his current role, the shell displays a warning. For example, if the user is not authorized to run the uname command in the dzsh shell, the following message is displayed:

$ uname
uname: command not allowed

Setting or changing the active role

Users who are only assigned to one or more restricted shell environments roles are only allowed to run commands within the dzsh shell. Within the restricted shell, a user can only be in one active role at a time to prevent ambiguity about the commands the user can run or the user account that should be used to execute those commands.

For example, if the user carol is assigned to the lab_staff restricted shell environment role that specifies the tar command should run as root and to the temps restricted shell environment role that specifies the tar command should run as tmp_admin, she needs to specify which role she is using to run the tar commands under the proper account.

Within the restricted shell, users can switch between available roles, as needed, using the built-in role command. If a user has been assigned to the backup_ops role and the dev_managers role, he can run the role command to specify which role should be active so that only commands from that role apply. For example, to switch from the backup_ops role to the dev_managers role:

$ role dev_managers
Role changed to: dev_managers

For more information about using the role option in a restricted shell, see the man page for dzsh.

Viewing available roles

The dzinfo command enables users to view information about the roles they have available and what they are allowed to do within their different roles. You may want to add this command to all of your restricted environment roles to allow users to check their definitions and availability within the authentication and privilege elevation restricted environment shell.

For more information about using the dzinfo command, see the man page for dzinfo.

Using a graphical desktop manager in a restricted environment

In some operating environments, users who are placed into a restricted environment may not be able to log on using a graphical user interface desktop manager unless they are explicitly given permission to run the desktop manager or related commands within the dzsh restricted environment. For example, on Red Hat Linux, users must be allowed to run /usr/bin/dbus-launch to log on using KDE or Gnome desktop manager.

To allow restricted environment users to log on using KDE or Gnome on Red Hat, you must add dbus-launch to the list of allowed commands for the restricted environment user’s role. If you want to prevent restricted environment users from logging on using the graphical user interface, you can restrict their access to specific PAM-enabled applications such as ssh.