Trusted Login Shell

Answer

The tsh is an interpreter that provides greater security
than the Korn shell (the standard login shell).
The tsh shell also can be invoked by defining it as the login shell in the /etc/passwd file.

To perform that for a user called "mash", follow the below:

1. Login as root

2. Change the default login shell of the user mash to /usr/bin/tsh:
# chuser shell=/usr/bin/tsh mash

3. Login with "mash" and try to execute the following commands:
tsh> who
tsh> whoami
tsh> ls

You will see an error like the below:
0403-047 Command must be trusted to run in the trusted shell

4. You will have to enable as root the specific commands you want as trusted:
# chtcb on /usr/bin/ls
# chtcb query /usr/bin/ls

5. Login with mash again
tsh> ls -l
-rw-rw---- 1 new staff 0 Dec 01 09:26 abc.out
-rwxr-xr-x 1 new staff 76 Nov 17 02:41 test.file

* The command /usr/bin/ls is now in the trusted communication path, so it runs.

6. If you want to disable back a trusted attribute:
- Login with root, and run:
# chtcb off /usr/bin/ls

7. if you want to change back the user "mash" shell to KSH:
# chuser shell=/usr/bin/ksh mash


Thank you very much for taking the time to read through this guide.
I hope it has been not only helpful but an easy read. If you feel you have found any inconsistencies,
Please don’t hesitate to email me at ahdmashr@eg.ibm.com

Ahmed Mashhour