On Wed, Aug 23, 2000 at 11:14:01AM -0500, Brent Harding wrote: > Doesn't he have to have access to /etc/shadow though? For what? If you provide sudo access to use the useradd or adduser commands, the commands run *as root*. Updating of /etc/passwd and /etc/shadow are transparent. > The delay would be more for, putting the file somewhere on the system, > and creating the users on the hour, run off the root crontab. Think about this long and hard: you're allowing a user to create a file with an arbitrary set of conditions, nominally to create a set of new user accounts...with what password settings, etc? To implement this securely *you* need to figure out all the ways this can break. There's a much simpler solution: Use sudo. > deleting would be something tricky, wouldn't want him deleting what I > create. What are you deleting here? I'm confused. > Or is the telnet login as newuser deal better made for this, ***DON'T*** use telnet. Use ssh. Remove telnet and telnetd packages from your system. Do *not* use telnet for root sessions *at all*. > Make an account with the adduser script as shell, just like people do > with pppd, it runs as root, but now we get the problem of if he types > a user that exists, it moves on and lets him change the password Then write a wrapper which tests for the existance of the user account *before* invoking adduser, and hand *this* command to your friend. You'll give access to this wrapper rather than the adduser script itself. #!/bin/sh if grep '^$1:' /etc/passwd 1>/dev/null 2>&1 ; then echo "error: user $1 exists, exiting" 1>&2; exit 1 fi adduser $1 -- Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself Evangelist, Opensales, Inc. http://www.opensales.org What part of "Gestalt" don't you understand? Debian GNU/Linux rocks! http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgpkiUeQw_95D.pgp
Description: PGP signature