ITEM: AW1723L
The enq and qprt commands do not work in Korn Restricted Shell.
Question:
Model:R30
Problem with queueing system/people with restricted access
cannot print jobs
Response:
ENV: AIX 4.1.4
Model R30
DESC: Customer is trying to implement users under a restricted shell.
When these users try to print they get errors about
accessing other directories that the commands they
are executing are trying to access. For example with
the enq command they get an error:
0781-312 Request file_name removed from queue
queue_name. Could not open or stat file[s]
ACT: Asked customer what restricted shell he was using. Customer was
using a rksh. This invokes the ksh -r. This can be done
by hard linking the file /usr/bin/rksh to /usr/bin/ksh.
Asked customer if the same thing happened with the
Rsh restricted shell. He tried this and it worked.
Customer for now can change his users to use the
Rsh shell but really wnats to use the ksh -r as
it provides more shell functionality and wants to
know if there is any more setup he needs to do for the
ksh -r to allow it to work.
ACT: these are the steps I did on soofi
cd /bin
ln -s ksh rksh
created a user called anil
logged in as anil
mkdir bin
cd bin
established the links as follows
ln -s /usr/bin/clear clear
ln -s /usr/bin/enq enq
ln -s /usr/bin/grep grep
ln -s /usr/bin/ls ls
ln -s /usr/bin/more more
ln -s /usr/bin/mux mux
ln -s /usr/bin/passwd passwd
ln -s /usr/bin/qprt qprt
ln -s /usr/bin/stty stty
ln -s /usr/bin/wc wc
ln -s /usr/bin/who who
.vi .profile ( the contents of .profile)
PATH=/u/anil/bin
export PATH
if -s "$MAIL" \# This is at Shell startup. In normal
then echo "$MAILMSG" \# operation, the Shell checks
fi \# periodically.
.Logged in as root and edited the /etc/passwd file and entry is as
follows
anil:]:212:1::/home/anil:/usr/bin/rksh
.Logged back as user and then executed
enq .profile
and there were no errors.
DESC: This did clear up the above error, but he still has problems with
the remote queues. The queues give the following error
/usr/lib/lpd/aixshort 22 : /usr/bin/dspmsg: 0403-019 The operation is
not allowed in a restricted shell.
/usr/lib/lpd/aixshort 33 : /usr/bin/tr: 0403-019 The operation is not
allowed in a restricted shell.
/usr/lib/lpd/aixshort 33 : /usr/bin/awk: 0403-019 The operation is not
allowed in a restricted shell.
qstatus: (FATAL ERROR): 0781-105 Process failure.
rembak: (FATAL ERROR): 0781-237 Error writing to fd = 1.
rembak: errno = 32: There is no process to read data written to a pipe.
qstatus: (FATAL ERROR): 0781-105 Process failure.
ACT: I setup a similar test and found that I received the same errors.
This is because the rembak command is invoking the scripts aixshort
and aixlong which reference dspmsg, tr, awk by their absolute
pathnames.
.The customer's concern is that they can run these things through rbsh
but not through rksh. The only connection I can find is that
aixshort, aixlong are \#]/bin/ksh scripts.
.ACT: spoke with Anil. Apparently, if a \#]/bin/ksh shell script is run
from a rbsh, it runs under a normal ksh. If it is run from a rksh,
then it runs as a rksh. Anil is going to confirm this and contact
customer.
ACT: This is the sequence of commands that happens when a job is sent
to a remote print queue.
the command enq is called
This calls an executable called rembak
rembak has the setuid bit set
rembak call a shell script called aixshort
aixshort has calls tr,awk by its full path name
and then we get the error
.As per Korn shell book, it says that when a restricted shell calls a
shell script, then the script runs as unrestricted. I tested this out
by having an executable call a shell script and it works. If the above
logic holds good, then rembak should be executed as root because of the
s bit and the aixshort should go thro with out any problems. Need to do
research on this.
-K, ANIL -576539300 -L165/-------P2S2-96/04/01-09:14--AT
ACT: Debugged rksh. Found out ksh -r in /etc/passwd would work fine and
not rksh. Ksh -r is same as rksh.
Support Line: The enq and qprt commands do not work in Korn Restricted Shell. ITEM: AW1723L
Dated: April 1996 Category: N/A
This HTML file was generated 99/06/24~13:30:24
Comments or suggestions?
Contact us