[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Exploring the possibilities of cron



On Wed, Aug 23, 2000 at 11:14:01AM -0500, Brent Harding wrote:

> Doesn't he have to have access to /etc/shadow though? 

For what?  If you provide sudo access to use the useradd or adduser
commands, the commands run *as root*.  Updating of /etc/passwd and
/etc/shadow are transparent.

> The delay would be more for, putting the file somewhere on the system,
> and creating the users on the hour, run off the root crontab. 

Think about this long and hard:  you're allowing a user to create a file
with an arbitrary set of conditions, nominally to create a set of new
user accounts...with what password settings, etc?  To implement this
securely *you* need to figure out all the ways this can break.  There's
a much simpler solution:

    Use sudo.


> deleting would be something tricky, wouldn't want him deleting what I
> create. 

What are you deleting here?  I'm confused.

> Or is the telnet login as newuser deal better made for this, 

***DON'T*** use telnet.  Use ssh.  Remove telnet and telnetd packages
from your system.  Do *not* use telnet for root sessions *at all*.

> Make an account with the adduser script as shell, just like people do
> with pppd, it runs as root, but now we get the problem of if he types
> a user that exists, it moves on and lets him change the password 

Then write a wrapper which tests for the existance of the user account
*before* invoking adduser, and hand *this* command to your
friend.  You'll give access to this wrapper rather than the adduser
script itself.

	#!/bin/sh
    if grep '^$1:' /etc/passwd 1>/dev/null 2>&1 ; then
	    echo "error: user $1 exists, exiting" 1>&2; exit 1
	fi
	adduser $1

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Opensales, Inc.                    http://www.opensales.org
  What part of "Gestalt" don't you understand?   Debian GNU/Linux rocks!
   http://gestalt-system.sourceforge.net/    K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0

Attachment: pgpkiUeQw_95D.pgp
Description: PGP signature


Reply to: