restricting within command

[Emil Isberg]

On Mon, 20 Mar 2000, julian.rogan wrote:
>I plan on allowing our helpdesk to change users passwords using sudo as the
>means of allowing this privilege.

As in many of the question to this list it is not a mather of tighten the
security as it will never be enough but rather only give access to what
you know is secure:

If you want to give access to passwd <user> but not passwd <root> then
simply create a workaround shell (if you trust your shell) or an
(binary) application (if you trust your coding) and in that shell or
application simply make sure that it's not root (or any other special
user) that is changed.


A simple skript is attached...
The normal disclaimers apply as I wrote it in a hurry... Use it if you (or
anyone else) like in any possible way.

Be well, and please don't use this script to kill somone...

-- 
Nadia Comaneci, simple perfection.
		-- '76 Olympics
-------------- next part --------------
#! /bin/bash

check_groups ()
{
  local spgrp

# This is for the following format of /etc/group
# group:pas:gid:user1,user2,user3
  while IFS=: read grp ign gid users
  do
    spgrp=""
    for sgrp in "specgrp" "root" "staff"
    do [ "$grp" = "$sgrp" ] && spgrp="$grp";done
    if [ -n "$spgrp" -o "$gid" -lt 100 ]
    then
      for u in "$@"
      do
        case "$users" in
         "$u"|*,"$u"|"$u",*|*,"$u",*) error="User belonged to spec group";return 1;;
        esac
      done
    fi
  done < /etc/group
  return 0
}

check_gid ()
{
  local spgrp

  for g in "$@"
  do
    [ "$g" -lt 100 ] && error="gid was not valid" && return 1
  done

# This is for the following format of /etc/group
# group:pas:gid:user1,user2,user3
  while IFS=: read grp ign gid users
  do
    spgrp=""
    for sgrp in "specgrp" "root" "staff"
    do [ "$sgrp" = "$grp" ] && spgrp="$grp";done
    if [ -n "$spgrp" -o "$gid" -lt 100 ]
    then
      for g in "$@"
      do
echo gid:"$g":"$grp":"$gid":"$users"
        [ "$g" = "$gid" ] && error="gid was invalid" && return 1
      done
    fi
  done < /etc/group
  return 0
}

check_users ()
{
  local cnt=0

#  for spec in "specuser" "root"
#  do
#    for u in "$@"
#    do
#      if [ "$spec" = "$u" ]
#      then
#        error="the user was a special user"
#        return 1 # The user was a special user
#      fi
#    done
#  done

# This is for the following format of /etc/passwd
# login:shadow:uid:gid:Name:/dir:/bin/shl
  while IFS=: read log x uid gid nam dir shl
  do
    for u in "$@"
    do
      if [ "$u" = "$log" ]
      then
echo passwd:"$u":"$log":"$uid"
        if [ "$uid" -lt 100 ] || ! check_gid "$gid"
        then
          error="the user was special"
          return 1
        else
          cnt=`expr "$cnt" + 1`
        fi
      fi
    done
  done < /etc/passwd
  if [ ! $# -eq $cnt ]
  then
    error="some user did not exist"
  else
    return 0
  fi
}

error=""
if check_groups "$@" && check_users "$@"
then
  for u in "$@"
  do
    echo "$u"
    passwd "$u"
  done
else
  echo "$@" was not allowed: "$error"
fi