Telnet Reference > UNIX Telnet Security > Examples of Security Measures
  
Examples of Security Measures
Case 1: Maximum Security
One UNIX account with the following characteristics is used for all QXI telnet sessions:
No write permissions to home directory. Temporary files are written elsewhere.
PATH, DLC, and PROPATH environment variables are set in .profile and inaccessible to the user.
Startup command and/or scripts run from .profile.
Telnet disconnects immediately after the user exits the session.
Use the following instructions to set up Case 1:
1 Create the unique QXI account for log in to UNIX through telnet.
2 Make the default shell for this account the restricted shell.
3 Remove all write permissions for this user in their home directory. Use the ‑T option in the remote script to specify an alternate temporary directory.
4 Set up the .profile to set minimal environment variables.
5 Set up the .profile to run the script automatically.
Example: .profile for Case 1:
/*Sample .profile for QXtend session, single QXtend login*/
#set default for error (STOP) condition handling
stty intr ^C
#set environment variables
PATH=/dlc91:/dlc91/bin
DLC=${DLC - /dlc91}
PROEXE=${PROEXE - $DLC/bin/_progres}
export PATH DLC PROEXE
#Autorun remote script for QXtend access and automatically exit
exec remote.script
exit
Case 2: Less Security
Users have their own unique log in and password, but run the restricted shell by default:
Write permission to directory is possible, but not necessary.
PATH, DLC, and PROPATH environment variables are set in .profile and inaccessible to the user.
Users run a subset of UNIX commands, which you add to
/usr/rbin.
Users can run the system manually from command line or script.
Use the following instructions to set up Case 2:
1 Create or modify accounts for users of maintenance programs by changing their default shell in the /etc/passwd file to the restricted shell.
2 Create the directory /usr/rbin and copy the UNIX commands necessary for these users. Make the /usr/bin directory read-only so users cannot change path variables.
3 Set up a special .profile for the maintenance program users.
4 Set the minimal environment variables, remembering to include
/usr/rbin.
5 Copy the QXI telnet connection script to each user’s home directory with read-only access.
6 Put any other necessary read-only script files in the home directory.
Example: .profile for Case 2:
#/* Sample .profile for QXtend session, for individual logins
#remote.script should be in home dir; executable by QXtend*/
#set default for error (STOP) condition handling
stty intr ^C
#set environment variables
PATH=/dlc91:/dlc91/bin:/usr/rbin #don’t forget /rbin directory
DLC=${DLC - /dlc91}
PROEXE=${PROEXE - $DLC/bin/_progres}
export PATH DLC PROEXE