[K12OSN] OT - More scripting help

Dimitri Yioulos dyioulos at firstbhph.com
Tue Nov 6 15:12:12 UTC 2007 

Folks,

Sincere apologies if I'm asking questions here that really veer away from 
L12LTSP, but I've always gotten great, timely responses from you extremely 
bright people, and so, I go back to the well :-)  .  Hopefully, the 
questions/responses are useful to others.

As I noted in a previous post, I've created a script for our high school 
intern that allows him to do certain tasks, such as create accounts, change 
user passwords, etc.  I've given access to the appropriate commands via sudo, 
and have added the script path and "exit" to the intern's .bash_profile so 
that at login, he goes directly into a script-generated menu, and upon 
leaving the menu, he goes back to a login prompt.  It all works quite well.

Well, almost.  A bugaboo that I found was that the intern could change root's 
password!  Not that I don't trust the lad, but I reckon it's just not good 
policy to allow that.  But, how to prevent?  I tried the following in his 
sudo profile (found the Cmnd_Alias "trick" on the Net):

Cmnd_Alias      PWR=/usr/bin/passwd *root*
Cmnd_Alias      PW=/usr/bin/passwd [!-]?*

user ALL= NOPASSWD: /usr/sbin/useradd, 
PW, !PWR, /bin/mkdir, /bin/chown, /bin/chmod, /bin/sed, /bin/cp, /bin/rm, /etc/rc.d/init.d/httpd, /usr/local/test4.sh

Didn't work - the intern could still change root's pw.  I 
tried "/usr/bin/passwd !root" - n.g.  I tried the follwing in my script (not 
sure about the if/elif/else construct):

        2)

                read -p "Enter username: " USERNAME
                egrep "^$USERNAME" /etc/passwd >/dev/null
                if [ $? -ne 0 ]; then
                        echo
                        echo "User $USERNAME doesn't exist! Create the user 
first"
                elif [[ $? == "root" ]]; then
                        echo
                        echo "You're not allowed to change root's password"
                else
                sudo /usr/bin/passwd $USERNAME
                [ $? -eq 0 ] && echo "Password changed!"
                fi
                echo
                echo "Press Enter key" ; read ;;

Still no joy - root's pw could be changed.  Arrrgh!

How can I keep the intern from changing root's password?  Your help is most 
appreciated.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the K12OSN mailing list