restricting within command
Emil Isberg
emil.isberg at mds.mdh.se
Mon Mar 20 06:12:40 EST 2000
On Mon, 20 Mar 2000, julian.rogan wrote:
>I plan on allowing our helpdesk to change users passwords using sudo as the
>means of allowing this privilege.
As in many of the question to this list it is not a mather of tighten the
security as it will never be enough but rather only give access to what
you know is secure:
If you want to give access to passwd <user> but not passwd <root> then
simply create a workaround shell (if you trust your shell) or an
(binary) application (if you trust your coding) and in that shell or
application simply make sure that it's not root (or any other special
user) that is changed.
A simple skript is attached...
The normal disclaimers apply as I wrote it in a hurry... Use it if you (or
anyone else) like in any possible way.
Be well, and please don't use this script to kill somone...
--
Nadia Comaneci, simple perfection.
-- '76 Olympics
-------------- next part --------------
#! /bin/bash
check_groups ()
{
local spgrp
# This is for the following format of /etc/group
# group:pas:gid:user1,user2,user3
while IFS=: read grp ign gid users
do
spgrp=""
for sgrp in "specgrp" "root" "staff"
do [ "$grp" = "$sgrp" ] && spgrp="$grp";done
if [ -n "$spgrp" -o "$gid" -lt 100 ]
then
for u in "$@"
do
case "$users" in
"$u"|*,"$u"|"$u",*|*,"$u",*) error="User belonged to spec group";return 1;;
esac
done
fi
done < /etc/group
return 0
}
check_gid ()
{
local spgrp
for g in "$@"
do
[ "$g" -lt 100 ] && error="gid was not valid" && return 1
done
# This is for the following format of /etc/group
# group:pas:gid:user1,user2,user3
while IFS=: read grp ign gid users
do
spgrp=""
for sgrp in "specgrp" "root" "staff"
do [ "$sgrp" = "$grp" ] && spgrp="$grp";done
if [ -n "$spgrp" -o "$gid" -lt 100 ]
then
for g in "$@"
do
echo gid:"$g":"$grp":"$gid":"$users"
[ "$g" = "$gid" ] && error="gid was invalid" && return 1
done
fi
done < /etc/group
return 0
}
check_users ()
{
local cnt=0
# for spec in "specuser" "root"
# do
# for u in "$@"
# do
# if [ "$spec" = "$u" ]
# then
# error="the user was a special user"
# return 1 # The user was a special user
# fi
# done
# done
# This is for the following format of /etc/passwd
# login:shadow:uid:gid:Name:/dir:/bin/shl
while IFS=: read log x uid gid nam dir shl
do
for u in "$@"
do
if [ "$u" = "$log" ]
then
echo passwd:"$u":"$log":"$uid"
if [ "$uid" -lt 100 ] || ! check_gid "$gid"
then
error="the user was special"
return 1
else
cnt=`expr "$cnt" + 1`
fi
fi
done
done < /etc/passwd
if [ ! $# -eq $cnt ]
then
error="some user did not exist"
else
return 0
fi
}
error=""
if check_groups "$@" && check_users "$@"
then
for u in "$@"
do
echo "$u"
passwd "$u"
done
else
echo "$@" was not allowed: "$error"
fi
More information about the sudo-users
mailing list