Operating System - HP-UX
1827688 Members
3877 Online
109967 Solutions
New Discussion

User deletion script for use by non-root users

 
SOLVED
Go to solution
Michael Campbell
Trusted Contributor

User deletion script for use by non-root users

Hi

Every day, I get a list of users to delete passed to me from our Helpdesk people. While I know that this is a quick "userdel -r" to get rid of each of them, it is still an extra step in our security process which i'd like to consolidate.

Our Helpdesk already delete all the users application and other OS accounts and they also set up the HP-UX users, so i'd like them to be able to remove the HP-UX accounts also.

I realise that there are inherent dangers with this and I wondered if anyone had a good way to go about this.

Any Help Appreciated

Michael
5 REPLIES 5
Sunil Sharma_1
Honored Contributor
Solution

Re: User deletion script for use by non-root users

use sudo to give selected commands right to other users. You can use restricted sam as well.

Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
Sridhar Bhaskarla
Honored Contributor

Re: User deletion script for use by non-root users

Hi Michael,

'Sudo' is the best way. Search the forums on how to download it.

Another way is to setup 'restricted SAM'. RUn 'sam -r' as root and give access to only those areas that you want the users to run.

Becareful while setting up 'sudoers' file for sudo as you can inadvertantly open up security holes.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Bill Hassell
Honored Contributor

Re: User deletion script for use by non-root users

Write your script with associated checks for a vlaid username (not root, etc) and perform the userdel within the script. It should only run as root (*NO* suid). The use sudo for the helpdesk people to run the script. There is no such thing as a secure suid script, so use sudo (sudoers file) to limit what scripts and commands the helpdesk can use.


Bill Hassell, sysadmin
Muthukumar_5
Honored Contributor

Re: User deletion script for use by non-root users

You can get sudo from,
http://gatekeep.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

Configure sudoers to particular user to get root access to delete user account.

Another way will be with .rhosts file,

$ROOTHOME/.rhosts
localhost.domainname.com

so that particular user sends remsh / rexec execution to localhost with root user to delete that users. IT is easy to do it.

Configure root users .rhost with root user for the allowed users there to do action. But it give the root access to execute anything on your machine. [ Avoid this ]

HTH.


Easy to suggest when don't know about the problem!
Michael Campbell
Trusted Contributor

Re: User deletion script for use by non-root users

Thanks Everyone.

I think i'll go with restricted SAM.

Regards

MIchael