Re: Permitting normal user to create OS accounts

[Rick Stevens <rstevens vitalstream com>]

On Thu, 2006-04-06 at 18:32 +0000, Tech Guy wrote:
>   
> Hello,
>   
> I have a requirement where the clients should be able to create their
> own accounts (OS accounts) but with a limitation on GROUPID, HOME DIR,
> SHELL, etc means they cannot choose any of them. All of them will be
> predefined. They should only provide the UserID.

useradd uses the defaults in /etc/defaults/useradd, so edit those
accordingly.

> I was thinking of a script which basically calls “useradd” predefining
> GROUP, Home dir etc and then making it available using SUDO.

Make sure the script generates a temp file that contains the command
and that there is NO way for a user to append any other options to
the useradd command.

> Is there any better way to do this or is there any tool that I can use
> that allows normal users to create accounts with ofcourse no security
> risks.

Any script you allow a user to run has security risks.  What I'd do is
set up a mail account and let users send a message to that account to
create the user.  For example:

	create-account mydomain com

In your /etc/mail/aliases file, aim that mail account to a script that
parses out the account name and creates it, e.g.:

	create-account:	|script-to-create-account

That way there's no interactivity between the user wishing to create an
account and the system and you can control the execution environment of
the script to a finer degree.

Just an idea.

----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-            We look for things.  Things that make us go!            -
----------------------------------------------------------------------