The following menush script allows specialized access to root functions. System administrators can establish accounts to allow other users to perform functions, such as backups, killing hung processes, or managing print jobs. While these functions require root authority, it is often undesirable to allow access to all root functions. This document applies to AIX Versions 3.2.5, 4.1, 4.2 and 4.3.
The product documentation library is also available:
http://www.rs6000.ibm.com/resource/aix_resource/Pubs/index.html
The menush script provides a menu of options and is invoked as an operator account in place of a shell. The first line in the script is not a comment and is required for the shell to work.
NOTE: In order for this script to work, all comments (lines beginning with a #) must start at column zero. Due to the formatting of this document, the actual script is indented a number of spaces. Also, if a line begins with a | (pipe character) you should remove that character. Any page headers and footers should also be removed from the body of the script.
#!/bin/ksh
# This script is a menuing program that can be used to
# give operators access to superuser level commands,
# such as backup, shutdown, kill, etc. without giving
# them a root shell. This works by making this script the initial
# program of the users so that when they log in,
# they have UID 0 but do not get a shell prompt. It
# requires a user defined startup file in the HOME
# directory of the "operator" account called .menushrc,
# which is defined as follows:
#
# Menuname
# 1=Option Name=/path/command=prompt=page
# 99
#
# where Menuname is a one word name for the menu, followed
# by up to 15 option lines consisting of an option number,
# text for the option, command to run, prompt text or the
# word none, and the word yes or no to indicate if the
# output of the command should be piped through
# the pg command. The 99 at the end of the options is
# required to signal the end of the option lines.
#
# First we set up a trap that disables break (^-C) that the
# wiley operator might try to get a root shell.
trap "" 2
# Now define a function to process the user selected option.
process_option()
{
ITEXT=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f2)
PROMPT=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f4)
CMD=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f3)
PG=$(grep "^$resp=" $HOME/.menushrc | cut -d'=' -f5)
if [ "$CMD" != "" ]
then
if [ "$PROMPT" != "none" ]
then
echo " "
echo "\t\t\t$PROMPT\c"
read input
echo $(date)" "$ITEXT" "$input >>$HOME/menush.log
if [ "$PG" != "yes" ]
then
eval $CMD $input
else
eval $CMD $input | pg -n
fi
else
echo $(date)" "$ITEXT >>$HOME/menush.log
if [ "$PG" != "yes" ]
then
eval $CMD
else
eval $CMD | pg -n
fi
fi
else
echo $(date)" "$resp" Invalid option" >>$HOME/menush.log
echo "\t\t\tInvalid option"
sleep 2
fi
}
# Now we parse the $HOME/.menushrc file to get the valid
# menu options. If this file does not exist, exit
# immediately. If we find the file, use it to display
# the menu and continue to do so until the user
# selects option 0 to exit.
if [ -r $HOME/.menushrc ]
then
IFS='='
resp="99"
while [ "$resp" != "0" ]
do
exec < $HOME/.menushrc
read menuname
clear
echo "\t\t\t\t$menuname Menu"
echo " "
read inum iname icmd iprompt ipg
while [ $inum != "99" ]
do
echo "\t\t$inum\t$iname"
read inum iname icmd iprompt ipg
done
echo "\t\t0\tExit"
echo " "
exec <&1
echo -n "\t\t\tSelection: \c"
read resp
case $resp in
"0") exit;;
"1"|"2"|"3"|"4"|"5"|"6"|"7"|"8"|"9"|"10"|"11"|"12"|"13"|"14"|"15")
process_option;;
*) echo $(date)" "$resp" Invalid option" >>$HOME/menush.log
echo "\t\t\tInvalid option"
sleep 2;;
esac
done
else
echo "\t\tNo .menushrc found. Exiting."
sleep 2
exit
fi
chmod 0750 /usr/sbin/menush
operator:*:201:10::/u/operator:/bin/ksh201 and 10 are numbers assigned by the SMIT command. Change these numbers to 0 and edit the end of the line as follows:
operator:*:0:0::/u/operator:/usr/sbin/menush
NOTE: The preceding fields marked in boldface are the ones that must be changed in /etc/passwd. Do not put the boldface marks in /etc/passwd.
[Menuname] 1=Option text=command=prompt=page 99
menuname is the one-word name for this menu, such as "Operator", followed by up to 15 option definition lines, followed in turn by the number 99, which signals the end of the menu definition. A sample .menushrc file might look like this:
Operator 1=Kill a process=/bin/kill -9=PID to kill: =no 2=Kill a print job=qcan -x=Job number? =no 3=Show status of print jobs=lpstat=none=yes 4=Change Operator Password=/usr/bin/passwd operator=none=no 99All lines must start in the first column. In the preceding example, the menu name is Operator. Options that don't require further input from the operator have their prompts set to none. The commands portion of the option definition line should specify the complete path name to the command or script to be executed since no PATH is set for this account. This file should be owned by root and have read and write permission for the owner only.
NOTE: You cannot use any program in your operator menu that requires an interactive shell. This means that programs that expect input from the user, such as SMITTY, cannot be used.
Now the operator can only access this account by using the su command. This is done so that a record exists of when a user logs in as operator (this is recorded in the /var/adm/sulog). In addition, the script will write a log file in the operator $HOME directory called menush.log that records the date, the time, and the menu option selected.
In versions 4.x the echo command does not support the -n flag. This command only needs to be changed in one of the two places that it appears in the preceding script.
The syntax for version 3.2 is:
echo -n "\t\t\tSelection: "The syntax for versions 4.x must be:
echo "\t\t\tSelection: \c"
This script can create security problems depending on the options that are available to the operator. An example can be seen in the preceding sample .menushrc file. In the option User Management, the SMIT fastpath to the Security & Users menu is invoked. Using this option, the operator could select the SMIT option to change the characteristics of a user and change his own initial program to a regular shell, thus allowing access to all functions reserved for root.
Therefore, the system administrator should take care when selecting what
options to give to the operator account, and should test for possible security holes.
[ Doc Ref: 90605218114810 Publish Date: Dec. 15, 2000 4FAX Ref: none ]