19,612
社区成员
发帖
与我相关
我的任务
分享请问如何才能避免显示无家目录登录的提示信息?Selinux如何为目录设置bin_t标签?
我自己写了一个限制ssh登录用户的shell,简单点说就是用户登录后直接执行我定制的一个脚本,如果输入的关键字是超出“安全限制值”的,就会自动发送给root@localhost一封邮件记录此操作过程。增加用户时我设置了一个USER_ADD的别名,内容是
不过这样以来就有两个问题:
首先,添加出来的用户在登录时会显示它没有家目录的信息,因为没有家目录,也就不存在.bash{rc,_profile,_logout}文件,如何才能避免显示这类提示信息?
第二个问题是我必须要把这个d.py塞到/bin才可以让ssh登录的用户有权限去运行这个脚本。然后我第一个想到的就是Selinux的问题,于是我ls -Z /abc,得到的标签是"default_t",我又查看了一下/bin的标签,是“bin_t”。我曾经尝试过用chcon -R bin_t /abc修改标签,但是系统返回说没有这个内容。其实我的确可以通过setenforce 0的方法让权限设置为permissive,可这样一来每次用户访问就会向系统发送一封邮件,而且如果是要求开启Selinux的公司,这样做肯定是不行。我相信一定有什么办法,请问该怎么做?
ps:我想过类似于“link -s /bin/d.py /abc/d.py”的办法,不过我有点洁癖情节,如果可以的话还是希望通过贴标签的方式解决。
烦请各位不吝赐教!
alias USER_ADD='useradd -M -s /abc/d.py'
不过这样以来就有两个问题:
首先,添加出来的用户在登录时会显示它没有家目录的信息,因为没有家目录,也就不存在.bash{rc,_profile,_logout}文件,如何才能避免显示这类提示信息?
第二个问题是我必须要把这个d.py塞到/bin才可以让ssh登录的用户有权限去运行这个脚本。然后我第一个想到的就是Selinux的问题,于是我ls -Z /abc,得到的标签是"default_t",我又查看了一下/bin的标签,是“bin_t”。我曾经尝试过用chcon -R bin_t /abc修改标签,但是系统返回说没有这个内容。其实我的确可以通过setenforce 0的方法让权限设置为permissive,可这样一来每次用户访问就会向系统发送一封邮件,而且如果是要求开启Selinux的公司,这样做肯定是不行。我相信一定有什么办法,请问该怎么做?
ps:我想过类似于“link -s /bin/d.py /abc/d.py”的办法,不过我有点洁癖情节,如果可以的话还是希望通过贴标签的方式解决。
烦请各位不吝赐教!
...全文
请发表友善的回复…
发表回复
小笨和漂向北方 2014-11-23
- 打赏
- 举报
No, I don't =_,=|||... No one have a $HOME directory. I just need them login and use my py script then getout...
Sure, I just know that Selinux will considerate security on tags. What is a sealers? how can i yum it?
I do have a messages in /var/log... but mostly it reports network errors...
In fact I just try to let users login and run python script as ...uhm... a shell...[/quote]
1. can u set a "home" dir for all users? say, /tmp?
2. typo error, it should be sealert[/quote]
In fact I don't want to let any user set a directory as their $HOME directory. if I set it to "-d /dev/null" the alert will disappears. But i don't know whether it will causes problems, for when creating new user account I will get a message that the $HOME directory is already exists...
I ... still, don't know what a sealert is. When I use a "ls -Zd" to /bin, I can see a "bin_t" tag here, but I can't chcon an other "bin_t" to new directories. It seems like there is no more than one bin_t tag in the entire system... I want to know whether if there is a solution to solve the problem...[/quote]
if you don't even have the basic trust on users, you should hot grant them ssh at all. I felt reluctant to ask you why u have to do this weird setup at the first place?
In terms of selinux, they are lots of ways to copy file context attr. I recommend sealert is because I don't understand why you are so sure bin_t is the key.
But one thing I am pretty sure is that you are "洁癖情节"
besides, it appears there is no problem at all for you to speak English, google can tell you what sealert is...
Lamuna 2014-11-23
- 打赏
- 举报
Oops... paste....
Now the second problem may temporary be solved for when every time i sign in server with ssh script runs automatically.
the problem now is when I log in into server there always a message shows as below:
# remember my alias like : alias USER_GEN='useradd -d /dev/null -s /abc/d.py'
no directory /dev/null!
Login with Home="/"!
Lamuna 2014-11-23
- 打赏
- 举报
Uhmm... I am almost like a newbie to Linux System and I do not have some friend in IT. So, to me, if there is a friend could let me solve this problem(maybe just right at this time) will be thought as an experienced on... or a person who is professionally. Like what you've said i will get a quite long way to go, don't even take a bad look at this word... You should have known I am not mention that I have an god dam official right answer and do not talk about that again....Orz...
another misunderstanding... I made a bold note to show what I am thinking about... As you know I thought I've solved that problem and the warnings message appeared again. What I could see is, there are two problems, maybe I mark a bold question to divide them into two parts...
You'll have my apologize If that made you feel uncomfortable...
I want to have this environment:
User login into server and run login_shell.py automatically;
Good point of this env is when user exit the script the connection will also be closed which means user in this server could only do their routine jobs under the "login_shell.py".
So, first I have to do is not leave any $HOME directory to users, the second is to past a tag or find a way to solve Selinux problems.
小笨和漂向北方 2014-11-23
- 打赏
- 举报
Oops... That's not a "trust crisis". The server is just an analysis used database of postgre. when users open connection with server, I need to record every command they did, how long did they stay. The entire process will be committed into specific database which shows there is no need to setup such a $HOME directory they never use. Besides, every file and directory has their own node_id, it is a kind of waste.
And again... the message of "No directory /dev/null !! Logging in with home = /" shows every time when user loged in... Do you have any good ideas?
To the problem of Selinux, It is an experienced friend's advise. He told me if there is any impossible permission problem, I just change it's type_t tag first, then, role_u, finally, the user... I've tried to reference /bin tag to /abc then problem solved. So I think that's what the problem is:)[/quote]
First of all, you don't have to bold your screaming with red, it's rude and cheap! It would be more efficient if u could have told us what exactly u want. Your experienced friend obviously is not familiar with PostgreSQL. Otherwise, he could have let you know all u have to do is to configure PostgreSQL.conf, pg' s logger is able to record everything. Ur stupid pay script can be retired.
As for selinux, I am sure ur experienced friend is a junior admin. The solution is based upon assumption without any ground. It's a monkey around instead of troubleshooting! He could be right on this one, but, without seeing the denial message or audit.log message, I won't give my advice, that is called professional!
Ur English is probably better than 95 percent of programmers in this forum, but don't let it blind ur mind! U have a long way to go to be a good admin.
Please DO NOT invite me to answer ur questions, u have an "experienced" friend...LOL
Lamuna 2014-11-23
- 打赏
- 举报
Ah! I got it from the official document! I can use a --reference=/bin to set /abc have the same {user:role:type} tag!
Lamuna 2014-11-23
- 打赏
- 举报
No, I don't =_,=|||... No one have a $HOME directory. I just need them login and use my py script then getout...
Sure, I just know that Selinux will considerate security on tags. What is a sealers? how can i yum it?
I do have a messages in /var/log... but mostly it reports network errors...
In fact I just try to let users login and run python script as ...uhm... a shell...[/quote]
1. can u set a "home" dir for all users? say, /tmp?
2. typo error, it should be sealert[/quote]
In fact I don't want to let any user set a directory as their $HOME directory. if I set it to "-d /dev/null" the alert will disappears. But i don't know whether it will causes problems, for when creating new user account I will get a message that the $HOME directory is already exists...
I ... still, don't know what a sealert is. When I use a "ls -Zd" to /bin, I can see a "bin_t" tag here, but I can't chcon an other "bin_t" to new directories. It seems like there is no more than one bin_t tag in the entire system... I want to know whether if there is a solution to solve the problem...
Lamuna 2014-11-23
- 打赏
- 举报
Oops... That's not a "trust crisis". The server is just an analysis used database of postgre. when users open connection with server, I need to record every command they did, how long did they stay. The entire process will be committed into specific database which shows there is no need to setup such a $HOME directory they never use. Besides, every file and directory has their own node_id, it is a kind of waste.
And again... the message of "No directory /dev/null !! Logging in with home = /" shows every time when user loged in... Do you have any good ideas?
To the problem of Selinux, It is an experienced friend's advise. He told me if there is any impossible permission problem, I just change it's type_t tag first, then, role_u, finally, the user... I've tried to reference /bin tag to /abc then problem solved. So I think that's what the problem is:)
小笨和漂向北方 2014-11-22
- 打赏
- 举报
No, I don't =_,=|||... No one have a $HOME directory. I just need them login and use my py script then getout...
Sure, I just know that Selinux will considerate security on tags. What is a sealers? how can i yum it?
I do have a messages in /var/log... but mostly it reports network errors...
In fact I just try to let users login and run python script as ...uhm... a shell...[/quote]
1. can u set a "home" dir for all users? say, /tmp?
2. typo error, it should be sealert
Lamuna 2014-11-22
- 打赏
- 举报
No, I don't =_,=|||... No one have a $HOME directory. I just need them login and use my py script then getout...
Sure, I just know that Selinux will considerate security on tags. What is a sealers? how can i yum it?
I do have a messages in /var/log... but mostly it reports network errors...
In fact I just try to let users login and run python script as ...uhm... a shell...
小笨和漂向北方 2014-11-22
- 打赏
- 举报
1. Do u want new user having home Dir?
2. It seems that u haven't figured out how selinux stops ur program yet. Do u have sealers installed so u could get a human friendly log entry in /var/messages?
