[K12OSN] OT - More scripting help
Dimitri Yioulos
dyioulos at firstbhph.com
Tue Nov 6 15:12:12 UTC 2007
Folks,
Sincere apologies if I'm asking questions here that really veer away from
L12LTSP, but I've always gotten great, timely responses from you extremely
bright people, and so, I go back to the well :-) . Hopefully, the
questions/responses are useful to others.
As I noted in a previous post, I've created a script for our high school
intern that allows him to do certain tasks, such as create accounts, change
user passwords, etc. I've given access to the appropriate commands via sudo,
and have added the script path and "exit" to the intern's .bash_profile so
that at login, he goes directly into a script-generated menu, and upon
leaving the menu, he goes back to a login prompt. It all works quite well.
Well, almost. A bugaboo that I found was that the intern could change root's
password! Not that I don't trust the lad, but I reckon it's just not good
policy to allow that. But, how to prevent? I tried the following in his
sudo profile (found the Cmnd_Alias "trick" on the Net):
Cmnd_Alias PWR=/usr/bin/passwd *root*
Cmnd_Alias PW=/usr/bin/passwd [!-]?*
user ALL= NOPASSWD: /usr/sbin/useradd,
PW, !PWR, /bin/mkdir, /bin/chown, /bin/chmod, /bin/sed, /bin/cp, /bin/rm, /etc/rc.d/init.d/httpd, /usr/local/test4.sh
Didn't work - the intern could still change root's pw. I
tried "/usr/bin/passwd !root" - n.g. I tried the follwing in my script (not
sure about the if/elif/else construct):
2)
read -p "Enter username: " USERNAME
egrep "^$USERNAME" /etc/passwd >/dev/null
if [ $? -ne 0 ]; then
echo
echo "User $USERNAME doesn't exist! Create the user
first"
elif [[ $? == "root" ]]; then
echo
echo "You're not allowed to change root's password"
else
sudo /usr/bin/passwd $USERNAME
[ $? -eq 0 ] && echo "Password changed!"
fi
echo
echo "Press Enter key" ; read ;;
Still no joy - root's pw could be changed. Arrrgh!
How can I keep the intern from changing root's password? Your help is most
appreciated.
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the K12OSN
mailing list