3.14.3 Notes
-
No format checking is performed on this definition file.
-
If there is no definition file, the function for limiting directory access is disabled.
-
If the definition file does not contain any valid definitions, the function for limiting directory access is disabled.
-
The function for limiting directory access is disabled for (not applied to) a user that is not specified in the definition file.
-
If [all] is specified, that definition applies to all users.
-
The definition of [disable_list] takes precedence over the definition of [enable_list]. For this reason, the function for limiting directory access is disabled for (not applied to) a user that is specified in both [enable_list] and [disable_list].
-
When the function for limiting directory access is used, a user's home directory is changed to the root directory. If you use the absolute path to specify file and directory names at the client or the auto-start programs that are used at the server, delete the part that indicates the user's home directory.
-
If a user to whom the function for limiting directory access is applied is to start auto-start programs, check in advance that the shell and programs that are to be started can actually start in the directory-limited environment. Use the chroot command for this checking (for details about the chroot command, see the OS documentation).
- Example
-
This example checks the execution of sample.sh immediately under the home directory of user user1 for whom the function for limiting directory access is enabled (operation performed as a superuser):
# chroot ~user1 /sample.sh
-
When the function for limiting directory access is used, the user can execute only those programs under the user's home directory. If an automatically executed program is used, place the program and the shared libraries used by that program appropriately under the user's home directory.
-
The location of the program will be the directory that is obtained by adding the path name defined in the PATH environment variable to the user's home directory. The location of the shared libraries will be the path that is obtained by adding the library search path to the user's home directory path.
-
Login and logout information for users for whom the function for limiting directory access is enabled is not recorded in the OS's wtmpx file.
-
In AIX, create a /dev/null device under the home directory of the user for whom the function for limiting directory access is enabled. Set the file type, major and minor numbers, and access permissions of the copied dev/null to the same values as for the original /dev/null device.
- Example
-
When user1 is a user to whom the function for limiting directory access is applied (operation performed as a superuser):
# ls -l /dev/null
crw-rw-rw- 1 root system 2, 2 Nov 20 13:10 /dev/null
# mkdir ~user1/dev
# mknod ~user1/dev/null c 2 2
# chmod 0666 ~user1/dev/null
# chown -R root:system ~user1/dev
-
In AIX, if you select Link with JP1/IM in the environment definition, copy the files listed below as is including the path under the home directory of the user to whom the function for limiting directory access is applied. Set the settings, such as file access permissions and link status, to the same values as for the source.
-
All files under /opt/jp1_fts/lib/nls
- Example
-
When user1 is a user to whom the function for limiting directory access is applied (operation performed as a superuser):
# cd /
# tar cvf /tmp/work.tar opt/jp1_fts/lib/nls
# cd ~user1
# tar xvf /tmp/work.tar
-
-
In Linux, create a copy of the /etc/localtime file under the home directory of the user to whom the function for limiting directory access is applied. Set the same access permissions to the copied etc/localtime file as for the original /etc/localtime file. If the /etc/localtime file is a symbolic link, also copy the entity file in the same manner.
- Example
-
When user1 is a user to whom the function for limiting directory access is applied (operation performed as a superuser):
# cd /
# tar cvf /tmp/work.tar etc/localtime
# cd ~user1
# tar xvf /tmp/work.tar
-
In Linux, if the environment variable JP1FTS_PRIVILEGE_ADDITION is set to ON and auto-start programs are to be started for a user for whom the function for limiting directory access is enabled, create /dev/null and /dev/full devices under the home directory of that user. Set the file type, major and minor numbers, and access permissions of the copied dev/null to the same values as for the original /dev/null device. In addition, set the file type, major and minor numbers, and access permissions of the copied dev/full to the same values as for the original /dev/full device.
- Example
-
When user1 is a user for whom the function for limiting directory access is enabled (operation performed as a superuser):
# ls -l /dev/null
crw-rw-rw- 1 root root 1, 3 Mar 13 01:06 2013 /dev/null
# mkdir ~user1/dev
# mknod ~user1/dev/null c 1 3
# chmod 0666 ~user1/dev/null
# ls -l /dev/full
crw-rw-rw- 1 root root 1, 7 Mar 13 01:06 2013 /dev/full
# mknod ~user1/dev/full c 1 7
# chmod 0666 ~user1/dev/full
# chown -R root:root ~user1/dev