Re: Exploring the possibilities of cron

To: debian-user <debian-user@lists.debian.org>
Subject: Re: Exploring the possibilities of cron
From: Brent Harding <bharding@mail.ufw2.com>
Date: Wed, 23 Aug 2000 21:17:48 -0500
Message-id: <3.0.6.32.20000823211748.007ff100@mail.ufw2.com>
In-reply-to: <20000823121555.E24998@ix.netcom.com>
References: <3.0.6.32.20000823111401.007bec90@mail.ufw2.com> <3.0.6.32.20000822192101.007eb730@mail.ufw2.com> <3.0.6.32.20000822192101.007eb730@mail.ufw2.com> <20000823013504.G21931@ix.netcom.com> <3.0.6.32.20000823111401.007bec90@mail.ufw2.com>

If the script makes the file, say for example
#!/bin/sh
echo enter a username to create
read $USER
echo enter user's password
read $PASSWORD
echo $USER:$PASSWORD >>/etc/requested.users
Then on the hour in cron 
have it mail to me the file with a subject of requested users, or piped the
file to that newusers utility that parces mass user entries. How can this
actually break and do something I don't want? Supposing the
/etc/requested.users file were owned by the group requestusers with my
friend being a member, with permissions of 750, so outsiders can't get the
file modified?
At 12:15 PM 8/23/00 -0700, you wrote:
>On Wed, Aug 23, 2000 at 11:14:01AM -0500, Brent Harding wrote:
>
>> Doesn't he have to have access to /etc/shadow though? 
>
>For what?  If you provide sudo access to use the useradd or adduser
>commands, the commands run *as root*.  Updating of /etc/passwd and
>/etc/shadow are transparent.
>
>> The delay would be more for, putting the file somewhere on the system,
>> and creating the users on the hour, run off the root crontab. 
>
>Think about this long and hard:  you're allowing a user to create a file
>with an arbitrary set of conditions, nominally to create a set of new
>user accounts...with what password settings, etc?  To implement this
>securely *you* need to figure out all the ways this can break.  There's
>a much simpler solution:
>
>    Use sudo.
>
>
>> deleting would be something tricky, wouldn't want him deleting what I
>> create. 
>
>What are you deleting here?  I'm confused.
>
>> Or is the telnet login as newuser deal better made for this, 
>
>***DON'T*** use telnet.  Use ssh.  Remove telnet and telnetd packages
>from your system.  Do *not* use telnet for root sessions *at all*.
>
>> Make an account with the adduser script as shell, just like people do
>> with pppd, it runs as root, but now we get the problem of if he types
>> a user that exists, it moves on and lets him change the password 
>
>Then write a wrapper which tests for the existance of the user account
>*before* invoking adduser, and hand *this* command to your
>friend.  You'll give access to this wrapper rather than the adduser
>script itself.
>
>	#!/bin/sh
>    if grep '^$1:' /etc/passwd 1>/dev/null 2>&1 ; then
>	    echo "error: user $1 exists, exiting" 1>&2; exit 1
>	fi
>	adduser $1
>
>-- 
>Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
> Evangelist, Opensales, Inc.                    http://www.opensales.org
>  What part of "Gestalt" don't you understand?   Debian GNU/Linux rocks!
>   http://gestalt-system.sourceforge.net/    K5: http://www.kuro5hin.org
>GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
>
>Attachment Converted: "c:\download\Re Exploring the possibilities4"
>

Reply to:

Follow-Ups:
- Re: Exploring the possibilities of cron
  - From: kmself@ix.netcom.com

References:
- Exploring the possibilities of cron
  - From: Brent Harding <bharding@mail.ufw2.com>
- Re: Exploring the possibilities of cron
  - From: kmself@ix.netcom.com
- Re: Exploring the possibilities of cron
  - From: kmself@ix.netcom.com

Prev by Date: RE: Mouse Doesn't Work with X
Next by Date: Re: We need a _Freaking_ Search Engine! Was: We need a FAQ. Don't you think we need a FAQ?
Previous by thread: Re: Exploring the possibilities of cron
Next by thread: Re: Exploring the possibilities of cron
Index(es):
- Date
- Thread