Solved

Removing access to the Terminal Window

Posted on 2014-02-07
7
387 Views
Last Modified: 2014-04-27
I have an environment where users log onto a Solaris 10 system using JDS and i would like to remove access to the Terminal Window. Is there a way to do this  without disabling the ability to actually logon?
0
Comment
Question by:mritwonderful
  • 4
  • 3
7 Comments
 
LVL 62

Expert Comment

by:btan
ID: 39844033
May want to see if this help - key is to disable xdmcp. E.g. setting Remote Services enabled to no will load generic_limited_net.xml limiting all remote networking services to the localhost except for secure shell.

http://www.softpanorama.org/Xwindows/Xdmcp/enabling_xdmcp_in_solaris_10.shtml

related - dtlogin is disabled by running it on port 0 instead of the default port 177
http://www.sunmanagers.org/pipermail/summaries/2007-September/008300.html
0
 

Author Comment

by:mritwonderful
ID: 39846306
Breadtan,

I'll look into those links some more but i do not think they will help me achieve what I'm looking to do. I am running sunray services and all of my users access the solaris server using thin clients. I want the users to be able to login to the server using JDS but i do not want them to be able to open a terminal window. I'm trying to lock things down so users cant run anything from the command line.
0
 
LVL 62

Expert Comment

by:btan
ID: 39846395
Thanks for sharing. I am wondering if Controlled Access Mode (CAM) in Kiosk Mode (link) will fit the use case,
- CAM Chooser Application (link)
- CAM Mode going into restricted jds (link)
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 

Author Comment

by:mritwonderful
ID: 39861537
breadtan,

I'm using Solaris 10 Trusted Extension and my users need to be able to logn and access multiple zones. I need to lock down the terminal in each zone. I'm thinking this would only work on a system that just has a Global zone and not multiple non-global zones.
0
 
LVL 62

Expert Comment

by:btan
ID: 39861659
I was reading some material and such extension has label e.g. Classification Labels and Sensitivity Labels are associated with a specific zone. When users log in to a zone, any processes and files that are accessed or created in that zone are set to the Classification and Sensitivity Label assigned to that zone. And if the host does not have Solaris Trusted Extensions, it will only be bind to a specific single label. This means that the host will be able to connect only to a single zone on the Solaris Trusted Extensions system, assuming it is trying to remote into the extension system. This then defeats your intent for multiple zones login.

So if user is to login into trusted extension and logged in to a multilevel session. May not be able to prevent use of JDS but maybe at restrict the data transfer btw label such as below http://docs.oracle.com/cd/E18752_01/html/819-0868/ugelem-16.html#ugtour-23

There is also mention of Application Manager Security which I am wondering restricting other apps to further lockdown only basic apps to limit user actions
http://docs.oracle.com/cd/E18752_01/html/819-0868/ugelem-42.html#ugelem-24
0
 

Accepted Solution

by:
mritwonderful earned 0 total points
ID: 40016654
I was able to remove access to the terminal by changing its permissions and removing everyones access to the file by changing the group access only.
0
 

Author Closing Comment

by:mritwonderful
ID: 40025537
This was the only viable solution to my question.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now