VShell Server for UNIX - Business Application

PRODUCTS > VSHELL > SOLUTIONS GUIDE > BUSINESS APPLICATION

Got a question or comment?

I need to have my users logon and only run our business application; no shell, no SFTP access whatsoever.

The following options should get you close to what you need.

If you want certain users (called the BusApp group for this example) to only have access to your business application and not have SFTP or port forwarding, you can use a combination of two different VShell® configuration options (AccessControl and ChrootUsers or ChrootGroups) combined with a controlled setup on the UNIX box.

Using the AccessControl configuration option, you can configure VShell so that the group of users that you want to have access to your business application does not have access to SFTP or port forwarding. Then you can change it so that the members of the BusApp group are "jail shelled" to their home folder (which you can set to a directory that only contains your business application).

Note: All shared libraries must also be moved to the user's home directory when using ChrootUsers or ChrootGroups.

Example of the vshelld_config file:

    ...
    AccessControl {
        Login {
        	AllowGroups { BusApp, users } #Allow members of users and BusApp login access
        }
        Shell {
        	AllowUsers { bob } #Allow Bob the IT manager shell access
        	AllowGroups { BusApp } #Allow the group BusApp shell access (they are jailed)
        }
        SFTP {
        	AllowUsers { bob } #Allow Bob the IT manager SFTP access
        }
        RemoteExecution { 
        	AllowUsers { bob } #Allow Bob remote execution access
        	DenyGroups { BusApp } #Deny the group BusApp remote execution access
        }
        PortForwarding { } #No one can port forward
        RemotePortForwarding { } #No one can remote port forward
    }

    ChrootGroups { BusApp }
    ...

Then, in your /etc/passwd file for your BusApp members, define their shells and home folders as follows (assuming that you create a directory called /jail/bin and it has your BusApp in it):

/etc/passwd:

    ...
    Alice:x:512:530:Jailed User Sally:/jail:/bin/BusApp
    Ted:x:513:530:Jailed User Ted:/jail:/bin/BusApp
    ...

In /etc/group:

    ...
    BusApp:x:530
    ...

This way when your BusApp users connect to VShell, they will automatically be placed in the jail folder (which will look like their root /). And, bin/BusApp will be executed as their shell.

Return to Solutions page

Return to Top


	Products	Downloads	Purchase	Support	About Us
	VShell Server	VShell Server	Buy Direct	Evaluation	Contact
	SecureCRT	SecureCRT	License Pricing	Updates Policy	Press Releases
	SecureFX	SecureFX	About Encryption Export	FAQs	What's New
	VanDyke ClientPack	VanDyke ClientPack	Orders FAQ	Tips & How-Tos	Customer Stories
	Beta Software	Beta Software	Resellers	Forums	Secure Solutions
Site Map \| Legal Notices \| Privacy Policy \| Refund Policy VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. Copyright © 1995 - VanDyke Software, Inc. All rights reserved.

About Encryption Export

Site Map | Legal Notices | Privacy Policy | Refund Policy

VShell, SecureCRT, SecureFX, Entunnel, CRT, and AbsoluteFTP are trademarks or registered trademarks of VanDyke Software, Inc. in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners.