AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only
Back to discussions
Expand all | Collapse all

How to disable/remove C-Shell in AIX?

  • 1.  How to disable/remove C-Shell in AIX?

    Posted Fri July 09, 2010 02:56 AM

    Originally posted by: SystemAdmin


    Hi Guys,

    I want to remove or disable C-Shell specifically from my aix server but since the package
    bos.rte.shell 5.3.9.2 APPLIED Shells (bsh, ksh, csh)
    contains all 3 shells, please guide me how I can remove or permanently disable cshell from my box.

    I know I can rename /usr/bin/csh and disable but in OS patching it will come back again.

    Pls suggest


  • 2.  Re: How to disable/remove C-Shell in AIX?

    Posted Fri July 09, 2010 07:52 AM

    Originally posted by: hdkutz


    Hello,
    look into
    /etc/security/login.cfg
    for
    shells =
    Entry. Comment out your undesired Shell.
    Beware, official Shell is ksh, I do not know, if c-shell is used for normal operating of AIX.

    Cheers,
    ku


  • 3.  Re: How to disable/remove C-Shell in AIX?

    Posted Fri July 09, 2010 09:32 AM

    Originally posted by: Kosala


    Removing the shell from login.cfg will not prevent a user from executing it.

    Kosala


  • 4.  Re: How to disable/remove C-Shell in AIX?

    Posted Sat July 10, 2010 03:03 AM

    Originally posted by: SystemAdmin


    Thanks for the response.

    First of all I dont want to disable c-shell for any specific user but I want to disable it for entire system even for root.

    Now the cause for this action is compliance. In compliance for our site it has been introduced that c-shell can be exploited easily in case of system hack. So they have recommened to keep only those shell which we use generally and disable c-shell permanently.

    Please guide


  • 5.  Re: How to disable/remove C-Shell in AIX?

    Posted Sat July 10, 2010 03:56 AM

    Originally posted by: Kosala


    Looking at the situation, deleting the file would be the only option (until someone recommends a better option). To handle the problem of re-introduction of the file during TL upgrades, you'll have to define a work procedure to remove the file after an upgrade.

    I would not recommend this but if you're a lazy admin like me you can put a cronjob like

    0 0 * * * -x /usr/bin/csh && rm -f /usr/bin/csh

    Which would take care of the problem.

    Kosala


  • 6.  Re: How to disable/remove C-Shell in AIX?

    Posted Fri July 09, 2010 08:23 AM

    Originally posted by: SystemAdmin


    Thanks for the reply, I do know that we dont use cshell in aix but as it got installed as a part of fileset and has been identified as the shell that can be exploited easily so need to disable it permanently.

    I tried removing the entry of cshell form /etc/security/login.cfg but still the shell is accessible.

    When I am doing

    1. csh
    csh# its going to c-shell, I tried this with new session as well.

    Please guide, how can I disable permanently


  • 7.  Re: How to disable/remove C-Shell in AIX?

    Posted Fri July 09, 2010 08:36 AM

    Originally posted by: tony.evans


    If your users have access to your server they can compile their own version of cshell quite easily. The real question is that are you trying to protect against, some unspecified comment that cshell can be exploited? But in way? Does it mean users who's initial shell is the cshell can somehow elevate their privileges? If so, preventing users from having cshell as their shell (which is what the previous post talks about) is enough.

    If there's a specific vulnerability in the cshell binary then IBM should patch it.

    What exactly are you trying to prevent (because that affects the question and answer).


  • 8.  Re: How to disable/remove C-Shell in AIX?

    Posted Sat July 10, 2010 07:18 AM

    Originally posted by: Kosala


    Compiling is possible as long as there is a compiler available. In most of the cases we do not have compilers installed, unless some application is looking for it during install (like Oracle). If I'm really security conscious, I would install it for the installation purpose and then remove it once not required.

    Kosala


  • 9.  Re: How to disable/remove C-Shell in AIX?

    Posted Sat July 10, 2010 07:21 AM

    Originally posted by: Kosala


    Did you try setting the access permission to 400 for "csh". Generally if the file is replace with a cp or mv, user permissions remain rt? This is one thing you can try.

    Kosala


  • 10.  Re: How to disable/remove C-Shell in AIX?

    Posted Mon July 12, 2010 10:51 AM

    Originally posted by: SystemAdmin


    Hi,

    I tried doing 400 permission and then do the OS patching.
    OS patching reverted the permission and c-shell started working again.

    Pls guide some other solution

    Thanks


  • 11.  Re: How to disable/remove C-Shell in AIX?

    Posted Wed July 14, 2010 03:16 PM

    Originally posted by: flodstrom


    It's possible that RBAC might give you what you want, but if I'm not mistaken you need AIX 6.1 for that (looks like you have 5.3?). I don't think you can un-install the csh. The csh is part of the base AIX system that has to be installed.

    On another note, I'm really struggling to understand your motives for doing this?

    Keep in mind that AIX expects the csh to be there and by removing it by force you may actually break parts of the system. The csh is in some ways a fundamental part of UNIX and removing it is something I would never recommend!

    Also, where did you get the idea from that the csh is a security issue (links please)?

    I would even go out on a limb here and say that you got some bad advice regarding the csh. In case your system would get hacked, the presence of the csh or not would not make any difference what so ever!


Related Content