On Wed, Aug 23, 2000 at 11:14:01AM -0500, Brent Harding wrote:
> Doesn't he have to have access to /etc/shadow though?
For what? If you provide sudo access to use the useradd or adduser
commands, the commands run *as root*. Updating of /etc/passwd and
/etc/shadow are transparent.
> The delay would be more for, putting the file somewhere on the system,
> and creating the users on the hour, run off the root crontab.
Think about this long and hard: you're allowing a user to create a file
with an arbitrary set of conditions, nominally to create a set of new
user accounts...with what password settings, etc? To implement this
securely *you* need to figure out all the ways this can break. There's
a much simpler solution:
Use sudo.
> deleting would be something tricky, wouldn't want him deleting what I
> create.
What are you deleting here? I'm confused.
> Or is the telnet login as newuser deal better made for this,
***DON'T*** use telnet. Use ssh. Remove telnet and telnetd packages
from your system. Do *not* use telnet for root sessions *at all*.
> Make an account with the adduser script as shell, just like people do
> with pppd, it runs as root, but now we get the problem of if he types
> a user that exists, it moves on and lets him change the password
Then write a wrapper which tests for the existance of the user account
*before* invoking adduser, and hand *this* command to your
friend. You'll give access to this wrapper rather than the adduser
script itself.
#!/bin/sh
if grep '^$1:' /etc/passwd 1>/dev/null 2>&1 ; then
echo "error: user $1 exists, exiting" 1>&2; exit 1
fi
adduser $1
--
Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself
Evangelist, Opensales, Inc. http://www.opensales.org
What part of "Gestalt" don't you understand? Debian GNU/Linux rocks!
http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgpkiUeQw_95D.pgp
Description: PGP signature