- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Script to create username , passwd.
Operating System - HP-UX
1752703
Members
5838
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-17-2009 04:18 AM
тАО08-17-2009 04:18 AM
Script to create username , passwd.
HI, I am using HP unix 11.23, as per our application concern, we have to have unix user, but i cannot give root access to any help desk poeple one who is responsible for user creation, So Is there any tool to create user name, password on Unix? or Could any one provide script to do this task with out Root's intervension? Early response would be greatfully appericiated.
Regs,
Chitta.
Regs,
Chitta.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-17-2009 04:23 AM
тАО08-17-2009 04:23 AM
Re: Script to create username , passwd.
Hi:
Perhaps your most secure option would be to use 'sudo' to control your script and its execution. NO doubt, too, there will be "additional" needs.
You need to have root privileges. In the absence of 'sudo' you could create a C-code wrapper around your script and 'setuid' the C-executable. This is frowned upon, however, by security auditors.
Regards!
...JRF...
Perhaps your most secure option would be to use 'sudo' to control your script and its execution. NO doubt, too, there will be "additional" needs.
You need to have root privileges. In the absence of 'sudo' you could create a C-code wrapper around your script and 'setuid' the C-executable. This is frowned upon, however, by security auditors.
Regards!
...JRF...
- Tags:
- sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-17-2009 04:54 AM
тАО08-17-2009 04:54 AM
Re: Script to create username , passwd.
Other than what James has suggested, you are looking into a third party tool, most of the time quite and expensive one, to perform user provisioning. We use CA's eTrust but since it is a windooze centric tool, it is slated towards user creation on that platform. All others are just plug-ins that does not work well or efficiently on UNIX or other platforms.
Best way is to authorize one user, say, help desk user, to create a file with user specifications, like they exist in the /etc/passwd, except the encrypted password of course, the a cron job run by root looks for this file, say every 10 minutes. If it exists, user(s) gets created and file gets deleted after user creation. You need to have a known password hash (encrypted password string) and you can use sed to insert this value into user's password field and give the known password to the user as their initial password, of course forcing them to change it first time they login by executing
passwd -f
right after replacing the encrypted string.
Hope this helps
Best way is to authorize one user, say, help desk user, to create a file with user specifications, like they exist in the /etc/passwd, except the encrypted password of course, the a cron job run by root looks for this file, say every 10 minutes. If it exists, user(s) gets created and file gets deleted after user creation. You need to have a known password hash (encrypted password string) and you can use sed to insert this value into user's password field and give the known password to the user as their initial password, of course forcing them to change it first time they login by executing
passwd -f
right after replacing the encrypted string.
Hope this helps
________________________________
UNIX because I majored in cryptology...
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-17-2009 05:24 AM
тАО08-17-2009 05:24 AM
Re: Script to create username , passwd.
The above solutions are decent if you wish to do this (even if it's somewhat frowned upon when it comes to security).
IMO you can do this with the setuid version. And it can be a decent solution because you can limit the owner group to just contain that specific non-root user and then chmod the executable to rwx by only that group.
This makes it "impossible" (since obviously nothing is impossible :P) for other user accounts to execute the file to maybe escalate their privileges.
But as it was said, It's a taboo for every security auditor because this is a sure shoot way to give hackers the possibility to escalate their privileges.
The crontab version is a good one too, this would make it hard for any attacker to find a weak spot, except for the obvious one where they can create their own account (if by some reason they can write to the file which crontab job will have to read from). Also it applies the 2 step approach which I'm somewhat fond of. Everything you need to do in more then 1 step (security-wise ofc) and where you eliminate giving out unneccessery access to a user is a good one :)
Sudo is a very good method, you can limit it down so it can only execute useradd and passwd (these are the only ones I believe someone who isn't an administrator would have to use).
Best regards
Fredrik eriksson
IMO you can do this with the setuid version. And it can be a decent solution because you can limit the owner group to just contain that specific non-root user and then chmod the executable to rwx by only that group.
This makes it "impossible" (since obviously nothing is impossible :P) for other user accounts to execute the file to maybe escalate their privileges.
But as it was said, It's a taboo for every security auditor because this is a sure shoot way to give hackers the possibility to escalate their privileges.
The crontab version is a good one too, this would make it hard for any attacker to find a weak spot, except for the obvious one where they can create their own account (if by some reason they can write to the file which crontab job will have to read from). Also it applies the 2 step approach which I'm somewhat fond of. Everything you need to do in more then 1 step (security-wise ofc) and where you eliminate giving out unneccessery access to a user is a good one :)
Sudo is a very good method, you can limit it down so it can only execute useradd and passwd (these are the only ones I believe someone who isn't an administrator would have to use).
Best regards
Fredrik eriksson
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP