HPE Community
Operating System - HP-UX
1754823 Members
4475 Online
108825 Solutions
New Discussion юеВ

Re: Giving a user-id the ability to add users (scripted)

 
Mike Blatsos
Advisor

тАО02-21-2007 02:18 AM

тАО02-21-2007 02:18 AM

Giving a user-id the ability to add users (scripted)

I have the need to give a user-id other than root the ability to add users via a script. Sudo will not work in this case. The system is trusted if that makes a difference. I would prefer that that user could only add to its group.
0 Kudos
Reply
3 REPLIES 3
James R. Ferguson
Acclaimed Contributor

тАО02-21-2007 02:25 AM

тАО02-21-2007 02:25 AM

Re: Giving a user-id the ability to add users (scripted)

Hi Mike:

If 'sudo' isn't an option, I'd create a simple C-wrapper, setuid to 'root' expressly for the purpose you describe. The usual caveats apply: make sure that both the wrapper and the script called within are strictly secured.

Regards!

...JRF...
0 Kudos
Reply
Peter Godron
Honored Contributor

тАО02-21-2007 02:30 AM

тАО02-21-2007 02:30 AM

Re: Giving a user-id the ability to add users (scripted)

Mike,
have you thought about possible use of access control list (acl) on the useradd etc. binaries ?

For script please see:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=952123

Or how about giving the user restricted SAM (see "man sam" -r option)

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.
0 Kudos
Reply
Mike Blatsos
Advisor

тАО02-21-2007 02:43 AM

тАО02-21-2007 02:43 AM

Re: Giving a user-id the ability to add users (scripted)

More info it it helps, we have a development team from LAWSON here trying to create an automated process to add users. On the windows side it IBM tivoli LDAP which they want to use to add users to HP-UX. They are using a package called ProcessFlow which can read the LDAP DB and through various process comes up with a 8 character UNIX id and from a table of preassigned UID's they grab an available UID. Too late in the process to use LDAP-UX... The killer is that all the created user-id's are deactivated (internal use only).
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.