This repository has been archived by the owner on Oct 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
tacplus-restrict.8
executable file
·86 lines (86 loc) · 2.63 KB
/
tacplus-restrict.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
.\" Hey, EMACS: -*- nroff -*-
.\" (C) Copyright 2016 Cumulus Networks, Inc. All rights reserved.
.TH TACPLUS-AUTH 8 "October 18, 2016"
.\" Please adjust this date whenever revising the manpage.
.SH NAME
tacplus-restrict \- set up restricted shell and links for tacplus-auth
.SH SYNOPSIS
.B tacplus-restrict
.I -u
user
.RI [ -f
(force)]
.RI [ -i
(init)] |
.RI [ -R
(restore)] |
.RI [ -a
cmd1 cmd2 ...]
.RI [ -d
cmd1 cmd2 ...]
.SH DESCRIPTION
.B tacplus-restrict
is a helper script to set up restricted shell environments for TACACS+
accounts to be used with per-command authorization (with
.BR tacplus.auth )
.P
The restricted shell (rbash) is required, because otherwise the TACACS+ user would
be able to bypass the TACACS per-command authorization checking.
.SH OPTIONS
.IP -a
Creates a symlink from
.I /usr/sbin/tacplus-auth
to each of the the requested commands to the bin sub-directory.
Those will be the only commands accessible to the user, and
only if also permitted (at runtime) by the TACACS+ server when
.I tacplus-auth
is run.
One or more commands follows the other arguments. They may be full
or relative pathnames. May not be used with
.I -d
.IP -d
Removes command symlinks for each named command from the
to each of the the requested commands to the bin sub-directory.
Those will be make the commands unavailable for the named user.
May not be used with
.I -a
.IP
If command is '*' (quoted asterisk), all commands are removed.
.IP -f
Force (re)initialization, even if it has already been done.
.IP -i
Initialize the directory. Saves any existing dot files in a
.I .DOTfiles
subdirectory. Creates a
.I bin
subdirectory for use with the
.I -a
option. Change the directory, files, and any subdirectories to be
owned by
.IR bin.bin ,
and to remove all write permissions.
Creates a
.I .bashrc
file with a PATH pointing only to a local bin subdirectory. Creates
the other
.I bash
dot files to source the
.I .bashrc
.IP -R
Restore the user's directory for normal use (reverse the -i and -a
effects). This sets the shell
to /bin/bash, and restores the saved dot files (.bashrc, etc.).
There is a 5 second warning and pause to abort prior to the
restore. If no dot files are found, the files from /etc/skel
are copied, as if a new user was being added.
.IP -u\ user
Username to be set up. This is a required argument. The user must be
a local user, so that the
.I chsh
command can be used to change the login shell. Normally the username will
be tacacs0, tacacs1, ... tacacs15, the preconfigured local users used for
mapping TACACS+ privilege levels.
.SH SEE ALSO
.IR tacplus-auth (8)
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>