HPE Community
Operating System - HP-UX
1752703 Members
5838 Online
108789 Solutions
New Discussion юеВ

Re: Script to create username , passwd.

 
Chitta
Frequent Advisor

тАО08-17-2009 04:18 AM

тАО08-17-2009 04:18 AM

Script to create username , passwd.

HI, I am using HP unix 11.23, as per our application concern, we have to have unix user, but i cannot give root access to any help desk poeple one who is responsible for user creation, So Is there any tool to create user name, password on Unix? or Could any one provide script to do this task with out Root's intervension? Early response would be greatfully appericiated.

Regs,
Chitta.
0 Kudos
Reply
3 REPLIES 3
James R. Ferguson
Acclaimed Contributor

тАО08-17-2009 04:23 AM

тАО08-17-2009 04:23 AM

Re: Script to create username , passwd.

Hi:

Perhaps your most secure option would be to use 'sudo' to control your script and its execution. NO doubt, too, there will be "additional" needs.

You need to have root privileges. In the absence of 'sudo' you could create a C-code wrapper around your script and 'setuid' the C-executable. This is frowned upon, however, by security auditors.

Regards!

...JRF...
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО08-17-2009 04:54 AM

тАО08-17-2009 04:54 AM

Re: Script to create username , passwd.

Other than what James has suggested, you are looking into a third party tool, most of the time quite and expensive one, to perform user provisioning. We use CA's eTrust but since it is a windooze centric tool, it is slated towards user creation on that platform. All others are just plug-ins that does not work well or efficiently on UNIX or other platforms.

Best way is to authorize one user, say, help desk user, to create a file with user specifications, like they exist in the /etc/passwd, except the encrypted password of course, the a cron job run by root looks for this file, say every 10 minutes. If it exists, user(s) gets created and file gets deleted after user creation. You need to have a known password hash (encrypted password string) and you can use sed to insert this value into user's password field and give the known password to the user as their initial password, of course forcing them to change it first time they login by executing

passwd -f

right after replacing the encrypted string.

Hope this helps
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Fredrik.eriksson
Valued Contributor

тАО08-17-2009 05:24 AM

тАО08-17-2009 05:24 AM

Re: Script to create username , passwd.

The above solutions are decent if you wish to do this (even if it's somewhat frowned upon when it comes to security).

IMO you can do this with the setuid version. And it can be a decent solution because you can limit the owner group to just contain that specific non-root user and then chmod the executable to rwx by only that group.
This makes it "impossible" (since obviously nothing is impossible :P) for other user accounts to execute the file to maybe escalate their privileges.
But as it was said, It's a taboo for every security auditor because this is a sure shoot way to give hackers the possibility to escalate their privileges.

The crontab version is a good one too, this would make it hard for any attacker to find a weak spot, except for the obvious one where they can create their own account (if by some reason they can write to the file which crontab job will have to read from). Also it applies the 2 step approach which I'm somewhat fond of. Everything you need to do in more then 1 step (security-wise ofc) and where you eliminate giving out unneccessery access to a user is a good one :)

Sudo is a very good method, you can limit it down so it can only execute useradd and passwd (these are the only ones I believe someone who isn't an administrator would have to use).

Best regards
Fredrik eriksson
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.