topic Re: passwd in a script in Operating System - HP-UX

passwd in a script

Jim Tropiano_1 — Mon, 25 Jul 2005 08:15:15 GMT

Wrote a sript for our helpdesk to use to add user to the system. I know this is not best practice, but we have the script set as user root and the security of the program set so it will run as root. chmod 4750 'name of script'

The script except when we run the part to add the password. We Permisiion denied. In the script the lines say:

passwd ?{newuser}
passwd -f ?{newuser}

according to the man pages on passwd - A superuser whose effective user ID is 0 is allowed to change password.
I inserted id with the right option and 0 was the uid.

I run the script as root and it works fine. I run as another user I get the error.
Any suggestion????

Re: passwd in a script

Kasper Hedensted — Mon, 25 Jul 2005 08:27:30 GMT

Hi Jim,

I haven't got the solution to your problem;
But I think you should take a look at using a restricted SAM for your helpdesk. This way you can grant them rights to add users / change passwords / unlock users among other things.

if this is not an option, then take a look at sudo

Cheers,
Kasper

Re: passwd in a script

Simon Hargrave — Mon, 25 Jul 2005 08:37:54 GMT

Have your script run "id" before the passwd command - verify that the EUID is correctly set.

If it is not set, is the filesystem on which your script is stored mounted with nosuid option? Check /etc/fstab and output of mount command.

Re: passwd in a script

Gavin Clarke — Mon, 25 Jul 2005 08:39:22 GMT

Our helpdesk do passwords.

sam -r is the way we got it up and running.

Re: passwd in a script

Gavin Clarke — Mon, 25 Jul 2005 08:44:27 GMT

Yep, I've just added a user as a test using a normal user and sam access that was configured using sam -r.

Re: passwd in a script

Mel Burslan — Mon, 25 Jul 2005 11:53:59 GMT

well, this may not be the answer you are looking for but instead of the help desk create a new password for each user, you can set few pre-expired passwords while you are running as root on some dummy accounts. Copy the hashed (encrypted) password strings into a secure file. And instead of running these two passwd commands, you can let the helpdesk rep select from these preset passwords and put their selection (in encrypted form of course) as the initial password to the newuse with command

/usr/sam/lbin/usermod.sam -p "Dx3zsaZS3q22." username

by changing the password hash to your own selected string.

hope this helps

Re: passwd in a script

Tim Nelson — Mon, 25 Jul 2005 14:10:47 GMT

We have our help desk use restricted SAM to run a script. The script controlls the userids that can be reset or modified. i.e. limit the ids so ids like root or any others specified cannot be changed.

Re: passwd in a script

Jim Tropiano_1 — Thu, 28 Jul 2005 14:52:32 GMT

Thanks for all the responses. I got it to work for waht we needed.

Thanks to all.

Re: passwd in a script

Jim Tropiano_1 — Thu, 28 Jul 2005 14:53:07 GMT

Thanks the script works