Permitting normal user to create OS accounts
Rick Stevens
rstevens at vitalstream.com
Thu Apr 6 19:29:57 UTC 2006
On Thu, 2006-04-06 at 18:32 +0000, Tech Guy wrote:
>
> Hello,
>
> I have a requirement where the clients should be able to create their
> own accounts (OS accounts) but with a limitation on GROUPID, HOME DIR,
> SHELL, etc means they cannot choose any of them. All of them will be
> predefined. They should only provide the UserID.
useradd uses the defaults in /etc/defaults/useradd, so edit those
accordingly.
> I was thinking of a script which basically calls “useradd” predefining
> GROUP, Home dir etc and then making it available using SUDO.
Make sure the script generates a temp file that contains the command
and that there is NO way for a user to append any other options to
the useradd command.
> Is there any better way to do this or is there any tool that I can use
> that allows normal users to create accounts with ofcourse no security
> risks.
Any script you allow a user to run has security risks. What I'd do is
set up a mail account and let users send a message to that account to
create the user. For example:
create-account at mydomain.com
In your /etc/mail/aliases file, aim that mail account to a script that
parses out the account name and creates it, e.g.:
create-account: |script-to-create-account
That way there's no interactivity between the user wishing to create an
account and the system and you can control the execution environment of
the script to a finer degree.
Just an idea.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- We look for things. Things that make us go! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list