HPE Community
Operating System - HP-UX
1753501 Members
4475 Online
108794 Solutions
New Discussion юеВ

Scripting

 
Aggy
Frequent Advisor

тАО08-06-2007 09:36 PM

тАО08-06-2007 09:36 PM

Scripting

I am not sure if someone has already tried it but we have some software developers and we have given them RO access by default and the RW access is audited.
To give them RW access we add them to a secondary group temporarily (time agreed) and then remove it after they make changes (all done by SAM or Usermod command).
Now I want this to be scripted so that OPS (Operators) can run a script for them to add/remove the secondary group. The main issue is how to build an automatic time-out.
I want to run a script where suppose Developer Tom calls and asks for RW access for 4 hrs then the OPS should be able to run a script where they can add the user Tom and the time and after 4 hrs it should automatically remove the Secondary Group for Tom (if this is possible) and the maximum access should be no more then 2 weeks


Example Script Output as below to make things more clear

Please type the use you want to give RW access? TOM
For how long he wants access? 4 hrs
Access Given!!!!! RW access will be removed after 4 hrs.


Please type the use you want to give RW access? DICK
For how long he wants access? 2 days
Access Given!!!!! RW access will be removed after 2 days

Please type the use you want to give RW access? Harry
For how long he wants access? 3 weeks
Sorry!! Maximum RW access cannot exceed 2 weeks.
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

тАО08-06-2007 09:56 PM

тАО08-06-2007 09:56 PM

Re: Scripting

Shalom,

You don't have to write the whole script.

Sam records every command that you run by menu and provides the commands that it run.

You should run the sam process and then view the recent commands.

Then you can cut and paste the code into your "script"

You'll need some additional code.

echo "Please type the use you want to give RW access?"
read USERNAME
echo For how long he wants access(in weeks)?"
read LENGTH
if [ $LENGTH -ge 2 ]
then
echo two weeks or less. Try again
exit
else
echo "Access Granted to $USERNAME"
# put sam code here.
fi

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
OldSchool
Honored Contributor

тАО08-07-2007 01:39 AM

тАО08-07-2007 01:39 AM

Re: Scripting

one way to "schedule" the timeout would be to have your script that grants access schedule an "at" job to revoked it. "at" recognizes at "+ count timeunit" schedule date that should fit well w/ your limits
0 Kudos
Reply
OldSchool
Honored Contributor

тАО08-07-2007 01:39 AM

тАО08-07-2007 01:39 AM

Re: Scripting

one way to "schedule" the timeout would be to have your script that grants access schedule an "at" job to revoked it. "at" recognizes at "+ count timeunit" schedule date that should fit well w/ your limits

just be sure that the operators have access to batch and at.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО08-07-2007 01:48 AM

тАО08-07-2007 01:48 AM

Re: Scripting

What you could do is write 2 scripts.

The first script adds the user to the group. This could possibly be done with the usermod command. At the end of the script, after you add the user to the group and have input the expiration period, you code a call to the 2nd script. This call will schedule an 'at' job to run the 2nd script at the specified expiration time for the user specified. For example: /some/dir/delete-groups tom | at now + 4 hours

When using at you can specify 'now + minutes/hours/days/weeks/months/years'

The 2nd script accepts a username as a parameter and removes the user from that group.

0 Kudos
Reply
Ben Dehner
Trusted Contributor

тАО08-07-2007 01:51 AM

тАО08-07-2007 01:51 AM

Re: Scripting

One thing that is unclear to me is whether the operators have the general permission to use SAM to make the modifications.

What you might need to do is write a SUID program in C or C++ that the operators run. This program is SUID as some userid that in turn has the appropriate permssions to do the usermod. This program need only be a wrapper around a script that does the work, which can do the usermod to add the group and, as pointed out, create an 'at' job to later remove the group.

The only thing you need to be careful with for the SUID program is sanitizing the input and environment to avoid buffer overflows and other nasty security issues. (Never, ever, use a SUID script.)
Trust me, I know what I'm doing
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.