Hi,
Would anyone have an idea as in how I can disable shell access for a user but at the same time allowing the user to boot to baan.

Regards.

Hi Nancy,

You have a couple of options here:

First of all you can set the user shell to 'None' in Maintain User Data but that doesn't really help in case of a Baan Super User

Secondly you can make Baan 'auto start' from the .profile or alternative login profile for that user. Together with a trap command you can avoid the user breaking out into the UNIX shell

Another option is to change the permission on the ottstpshell object but I am not really in favour of that.

There will be more possibilities but my preference would #2.

Hi Pat,
Could u elaborate on those

Any specifics you want to know Nancy?

1) Check the session Maintain User Data, 2nd form (I think)

2) With the .profile route you have endless options. You could e.g. set up a little ASCII menu to present the user at login time or simply start the ba6.1. For e.g. you could give the user the option to log into Baan and/or change the password.

3) Make it bsp accessible only

Another option I actually never tried myself is to define a false or restricted shell in the user definition in /etc/passwd. I would have to check if that holds up yes or no.

Hi Nancy,

you can 3 check points -

1. when a unix account is created, the administrator can specify no shell access.

2. If you are using the worktop, you block the shell access from the drop down box where you type in !ksh -v by disabling that option from the user data.

3. Instead of removing the permissions on Unix $BSE/tools for the shell programs, we implemented it from the role templates where we gave no authorizations to the sessions, ttstpshell and ttstpvtemul, ttstpvtemul_r, ttstpivtemul, ttstpivtemul_r (terminal emulator's).

Now, our system is quite secure and the user's cannot log into the Unix, or shell access from BaaN too. :D

Hi,
I got that. We also have ksh -o vi disabled. but what we want is in option dialog when we do a start shell the "normal user" should not be able to go to shell. Is it also possible to do it for superusers? Also Pat u were saying something about auto start for baan in .profile can u discuss on that....

Regards
Nancy

Nancy,

The step-3 I mentioned stops the users to get into the shell from the option dialog.

I dont think you can stop the superusers from using the shell access. But one possibility is that in Unix, if you have the users in a different group as the BSP then you can set 750 permissions on the $BSE/tools/../ottstp/ostpshell etc objects. The even if they are normal or super users they cannot execute that object.

I am curious of Pat's idea of autostart option. I am guessing Pat's idea might work on the BaaN-4 ASCII series and not on the BaaN-5 series.

But when a user logs into a BaaN environment, the user's .profile is not read/picked up. If the settings have to be invoked you have to use

!ksh -c .profile

So can you please let us know which version of BaaN are you using ? and maybe fill up your info in the profile that everyone can look up before they reply.

Thanks!

Hi Rao,
Could you specify the other setting u did other than session authorization by session. I still cant find any success.

What I did was just added these sesison in "session authorization by session" with no authorization marked.

But I can still access the shell thru option dialog (normal user)

Its a Baan5.0b environment.

Regards
Nancy

Nancy,

I did the session authorizations by session.

Did you convert to runtime DD, logged out and logged back in for the changes to be effective ?

We are on BaaN-5.2 environment with Worktop etc.. So I do not have any option dialog box here to check up. I guess other might help you out.

Here is a screenshot of the bw file which comes down on my start bar and the start shell is blocked.

Another alternative is to find the session code of the "option dialog" session, and check the table ttadv314 for that button, "Start shell", which has the session code to it and block that session in the role templates.

The 'auto start' from the .profile is indeed for ba6.1 users only.