topic Re: Writing script to modify passwd file in Operating System - HP-UX

Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 07:43:44 GMT

Looking for some ideas/suggestions and possibly scripting help for modifications to the passwd file.

At our employer, it is standard practice to make 2 backups of the passwd file before adding/removing/modifying users. Any changes are made to one of the backup copies and then "verified" before replacing the passwd file with the modified version.

We had an incident last week where our lead operator did not make 2 copies and instead removed 70 users from the one backup copy and then copied that to passwd. The net result was that this individual made every excuse in the book and did not accept that they were the one who caused the problem, even though I had a copy of the history file which showed all command typed in from the command prompt since their session began.

Because of this, I was directed to find out if it possible, or if a script exists which would prompt the user, when making changes to the passwd file. For example, a script might be called: passwdchng

When executed, it would prompt for the user id:

Enter user id:

If the user exists, it would then ask if you would like to modify or delete the user. If the user doesn't exist, it will ask you if you would like to add the user.

If you select modify, it will then show the current settings:

1)Password: Displayed as hash (we're not using shadow passwords)
2)User ID:
3)Group ID:
4)User Name/Description:
5)Home Directory:
6)Shell:

You would select a number to change that value. If you select passwd, a routine would run resetting the password to whatever it needs to be and forcing the user to change it upon the next login.

The script would also contain logic that would prevent the enduser from modifying users that do not have a certain group ID.

Let me know your thoughts. Perhaps having them do all this through SAM would be the answer.

Re: Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 07:54:12 GMT

Basically what I am looking for is a script version of what SAM is able to do for management of users. Is there anything like this for HPUX?

And what is the deal with the forums? Sometimes I can search and sometimes I can't.

Re: Writing script to modify passwd file

David Child_1 — Mon, 11 Jul 2005 08:02:39 GMT

Mike,

I don't know of anything standard that will do what you require, but it could be scripted. Does you lead operator have full root access? If so, there isn't anything you can do to force them to follow correct procedures.

Your best bet is to limit their access and use sudo to allow them to run pre-defined (and locked-down) scripts for this (or any other priviledged) task. In the past I have refused to have root access on servers when another group had root access. Its fairly easy to make this case when you have an issue as you described above.

If sam functionality is what you need, but don't want to let them have full access them restricted sam access can be set up.

David

Re: Writing script to modify passwd file

Juan M Leon — Mon, 11 Jul 2005 08:09:29 GMT

Mike I agree with David, you need to limit root access to your operators. then use sudo. I used to work with poweb broker pbrun and pbsu. This software works very well giving users some root ability and also helps you to log who is the user executing specific command. But the only extra work that you need to do is to script a menu with all the functionality. I dont think so is hard if you have some scripting experience.

If you decide to go with power borker I can always help you with the scripts.

Thanks

Juan

Re: Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 08:13:12 GMT

Juan & David,

I think it makes perfect sense that we look at limiting the operations priviledges.

Juan, please give me more information/website on "power broker",

Mike Keys

Re: Writing script to modify passwd file

Juan M Leon — Mon, 11 Jul 2005 08:38:01 GMT

Mike,
Here is some links with info about the software
The company
http://www.symark.com/powerbroker.htm
Software installation and config
http://www.uidaho.edu/pb/pb27-05.htm#P778_57145
http://www.uidaho.edu/pb/pb27-13.htm#P1486_106950
http://www.uidaho.edu/pb/pb27-18.htm#P3949_245086

Take a look and you will see that this software is very helpfull to delegate limited root privileges. Also it keeps tracking of each user steps.

Thanks
Juan

Re: Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 09:15:21 GMT

Thanks.

I see some replies in the forums which use menu-driven scripts written in perl. I also see the 'useradd', 'usermod' and 'userdel' commands that I can use to build by command line syntax.

Since I an very, very new to scripting, how do I pull the values from the /etc/passwd file for a particular user and store in variables?

Basically the structure of the program is as such.

Display Menu

A) Add a new user
M) Modify an existing user
R) Remove an existing user
D) Display this menu
X) Exit program and logoff

Program is called via sudo to track user and time called.

If A)then
Check to see that user does not already exist. If user exists then return message to user and prompt if they would like to Modify or Remove. If Modify or Remvoe is selected at this point, a check should be made to ensure that group ID matches acceptable group ID for which to make changes. Therefore, root and other ID's are protected. The user ID used should be the next user ID available.

If M) or R)
Get user info from /etc/passwd file, parsed and diplayed into its component parts displayed as a menu (only for Modify). For Remove, prompt user with an "are you sure" command before executing. For a Modify, allow user to select component to modify. Group ID can't be changed. Password can be reset from here as well (perhaps as option on Main Menu). Display "are you sure" prompt after finished with changes before modifying.

Any suggestions are welcome.

Mike Keys

Re: Writing script to modify passwd file

Mel Burslan — Mon, 11 Jul 2005 09:57:05 GMT

to get the values from your /etc/passwd file, you can use a construct like this :

(assumed teh username you want to modify is stored in variable $USER)

REC=`grep ^$USER /etc/passwd`

PWDHASH=`echo $REC|cut -d: -f2`
UID=`echo $REC|cut -d: -f3`
GID=`echo $REC|cut -d: -f4`
GECKOS=`echo $REC|cut -d: -f5`
HOMEDIR=`echo $REC|cut -d: -f6`
DEFSHELL=`echo $REC|cut -d: -f7`

then you can modify your record by modifying any of these values and reconstruct it as:

NEWREC=`printf $USER":"$PWDHASH":"$UID":"$GID":$GECKOS:"$HOMEDIR":"$DEFSHELL`

(make sure $GECKOS is inside the double quotes as it may have spaces embedded inside)

then

delete this line out of your /etc/passwd and append the modified version to the bottom as follows:

LINE=`grep -n ^$USER /etc/passwd|cut -d: -f1`
sed -e "${LINE}d" /etc/passwd > /tmp/passwd.fil
echo $NEWREC >> /tmp/passwd.fil

then dump the contents of the temporary file to the /etc/passwd

cat /tmp/passwd.fil > /etc/passwd

(do use 'cat' instead of 'mv' or 'cp' as this will preserve the file ownership and permissions of the /etc/passwd keeping you away from headaches in the future)

Re: Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 11:03:38 GMT

Mel,

Thanks. Big help.

Since this is Perl. How do I do a comparison when modifying a user to ensure that user exists in passwd file?

If ($REC exists) {
do something
{
elsif ($REC not exist) {
print "User not found";
}

Thanks.

Re: Writing script to modify passwd file

Mel Burslan — Mon, 11 Jul 2005 11:04:37 GMT

a quick and dirty menu system for you if you have not done it already :

while true
do
clear
echo "A. Add New User"
echo "M. Modify an Existing User"
echo "R. Remove an Existing User"
echo "D. Display This Menu"
echo "X. Exit Program and Logoff"
echo " "
echo "Please make your selection then hit "
read s
case $s in
"a"|"A")
clear; echo " Adding new user...\n\n" ;; # add new user commands here
"m"|"M")
clear; echo " Modifying user...\n\n";; # modify user commands here
"r"|"R")
clear; echo " Removing user...\n\n"
echo "do you want to remove the user's home directory and its contents y/[n]?"
read yn
if [[ $yn = "y" || $yn = "Y" ]]
then
userdel -r $USER
else
userdel $USER
fi ;;
"x"|"X")
clear; echo " Exiting Program.."; exit ;;
*)
# do nothing display the menu again
clear;;
esac
done

Re: Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 11:25:27 GMT

Mel,

Are using a regular shell script? I was starting to write in Perl.

Re: Writing script to modify passwd file

Mel Burslan — Mon, 11 Jul 2005 11:27:21 GMT

yes it was the standard ksh shell script. I know you can write much more elaborate menu systems using perl and other scripting languages. This is a quick and dirty one just in case you don't feel like writing one yourself now.

Re: Writing script to modify passwd file

Mike Keys — Mon, 11 Jul 2005 11:32:03 GMT

I have most of the stub code in place for the Perl menu. I just need to know how to compare.

Re: Writing script to modify passwd file

Mel Burslan — Mon, 11 Jul 2005 11:32:49 GMT

As I am not well versed in perl, the answer to your question :

"Since this is Perl. How do I do a comparison when modifying a user to ensure that user exists in passwd file?"

in ksh
(again username is in variable $USER assumption here)

grep ^$USER /etc/passwd; r=${?}
if [ $r -ne 0 ]
then
echo "$USER not found on this system"
fi

I think you can call a unix command using exec() command from inside a perl script but details of it eludes me.

Re: Writing script to modify passwd file

Juan M Leon — Mon, 11 Jul 2005 12:19:35 GMT

Mike, maybe you can use something like this

while ($string =~ m/regex/g) {
print "Found '$&'. Next attempt at character " . pos($string)+1 . "\n";
}

Hope helps.

Re: Writing script to modify passwd file

Sandman! — Tue, 12 Jul 2005 16:58:58 GMT

Mike,

I'ave a similar script that I wrote a while back for adding/deleting/modifying users. It might be helpful to you or at the very least it could provide a framework on which you can build yours. This script is parameterized and menu-driven. Best of luck!!!

Re: Writing script to modify passwd file

generic_1 — Thu, 14 Jul 2005 19:52:44 GMT

remsh $i /usr/sam/lbin/usermod.sam -p encrypedpasswordhere usersname

to set their innital password to the above script.
You can use ssh for a more secure connection.