read-only user in solaris

how to create user that are able only to perform specific command like (df,du) and have read-only access to certain directory?

thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What is your solaris version?

chk this,

most normal users dont have the ability to write to most critical areas of the system by default. if you need more restrictions, deploy RBAC. you can create custom rights profile to limit what a certain role can do. solaris 10 solaris 8 (update 10/01)
You can also look at the chroot command or using a zone.  Both of these use an alternate root that you can control outside of the fill server.  I think the biggest problem you are going to run into is that. although normal users have relatively little write privileges, they have run privilege for most of the executables on the system.  If you want to limit a user to a very few executables, it is hard to do that and not affect everybody in the primary OS instance.

If you use chroot, you create a new root structure under, say, /limiteduser.  In there you will need to have all the commands, required libraries for those commands, any special device files that will matter to the user, and any other flies that matter to the tasks the user will try to do.  In the user's profile, you use the trap command to prevent the user from using CTRL-c  to stop the profile and end it with something like:

chroot /limiteduser /bin/bash

This launches a shell using /limited root as if it were / and putting the user in chroot jail.

Getting chroot right is tricky.  Another way is to establish a zone.  The zone is another instance of Solaris that shares the main instance's kernel but does not open access to the main instance's files.  Users in the zone will think they are connected to an entirely different server with its own hostname and IP address.   Within the zone, you can just remove commands you don't want the end user to have access to.  If you want to make files and material available from the host, you can share folders via NFS and mount them inside the zone.  This is, in my opinion, a lot easier and more flexible than chroot jail but it represents a lot more overhead to the server too.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
omar2010Author Commented:
thank u
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.