read-only user in solaris

how to create user that are able only to perform specific command like (df,du) and have read-only access to certain directory?

thank you
Who is Participating?
turnbulldConnect With a Mentor Commented:
You can also look at the chroot command or using a zone.  Both of these use an alternate root that you can control outside of the fill server.  I think the biggest problem you are going to run into is that. although normal users have relatively little write privileges, they have run privilege for most of the executables on the system.  If you want to limit a user to a very few executables, it is hard to do that and not affect everybody in the primary OS instance.

If you use chroot, you create a new root structure under, say, /limiteduser.  In there you will need to have all the commands, required libraries for those commands, any special device files that will matter to the user, and any other flies that matter to the tasks the user will try to do.  In the user's profile, you use the trap command to prevent the user from using CTRL-c  to stop the profile and end it with something like:

chroot /limiteduser /bin/bash

This launches a shell using /limited root as if it were / and putting the user in chroot jail.

Getting chroot right is tricky.  Another way is to establish a zone.  The zone is another instance of Solaris that shares the main instance's kernel but does not open access to the main instance's files.  Users in the zone will think they are connected to an entirely different server with its own hostname and IP address.   Within the zone, you can just remove commands you don't want the end user to have access to.  If you want to make files and material available from the host, you can share folders via NFS and mount them inside the zone.  This is, in my opinion, a lot easier and more flexible than chroot jail but it represents a lot more overhead to the server too.
What is your solaris version?

chk this,

most normal users dont have the ability to write to most critical areas of the system by default. if you need more restrictions, deploy RBAC. you can create custom rights profile to limit what a certain role can do. solaris 10 solaris 8 (update 10/01)
omar2010Author Commented:
thank u
All Courses

From novice to tech pro — start learning today.