HPE Community
Operating System - HP-UX
1833464 Members
2629 Online
110052 Solutions
New Discussion

useradd script for support

 
Stephanie L Davenport
Frequent Advisor

‎09-25-2008 09:19 AM

‎09-25-2008 09:19 AM

useradd script for support

Can someone please help me out with a script?

The support people where I work need to have root access to create/modify/disable users but, we don't want to give them shell access.

So, I have the menu set up but, I am having issues with the script that the menu would call.

Does anyone have something similar to what I am looking for so I don't have to "reinvent the wheel"? I just need something that will ask for the user information (login, name, group) and create the user (home dir, passwd entry, etc...) while checking to make sure that the login does not already exist.

Thanks for your help!

p.s. the menu is a shell script. I would like the useradd script to also be in shell.
0 Kudos
9 REPLIES 9
Robert-Jan Goossens_1
Honored Contributor

‎09-25-2008 09:28 AM

‎09-25-2008 09:28 AM

Re: useradd script for support

Hi Stephanie,

You could create a restricted shh session for the support desk, like the old sam -r (restricted) version.

From docs.hp.com

If you need to give limited superuser access to a nonsuperuser, you can activate the Restricted SMH Builder. Using the Restricted SMH Builder, you can enable or disable selected SMH areas for the user. To activate the Restricted SMH Builder, enter:

# smh -r

When users with restricted access execute SMH, they will have superuser status in the defined areas and will only see those SMH areas in the menu. All other areas of SMH will be hidden from the user. When users without access permissions execute SMH, they will receive an error message stating they must be superuser.

You can also add more applications to SMH and set them up for restricted access.

http://docs.hp.com/en/5992-3387/ch02s11.html

Regards,
Robert-Jan
0 Kudos
Robert-Jan Goossens_1
Honored Contributor

‎09-25-2008 09:34 AM

‎09-25-2008 09:34 AM

Re: useradd script for support

Add on.

another option is the RBAC HP-UX Role-Based Access Control. Have a look at the info in below link. Software is available for 11i v2 + v3.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

Regards,
Robert-Jan
0 Kudos
Stephanie L Davenport
Frequent Advisor

‎09-25-2008 09:41 AM

‎09-25-2008 09:41 AM

Re: useradd script for support

we don't have smh loaded on the system and it is 11iv1. :(

Any other ideas?
0 Kudos
Ivan Krastev
Honored Contributor

‎09-25-2008 09:47 AM

‎09-25-2008 09:47 AM

Re: useradd script for support

Use webmin with restricted user. I have setup similar for adding/deleting users and mail aliases.

regards,
ivan
0 Kudos
Tim Nelson
Honored Contributor

‎09-25-2008 10:02 AM

‎09-25-2008 10:02 AM

Re: useradd script for support

In the past we configured restricted SAM to run a password reset script as root.

Simple to do.

The script is the part need to concentrate on.

1) restrict the username that the helpdesk can change passwords for. e.g. root, admin people, and application accounts.

2) every activity should create an audit log, not just for the auditors but to audit who did what and when just in case an issue comes up.

Here is the logic.

Enter username:
if $username = root ||admins ||applications then exit

Can also use a resticted list, e.g. if attempting to change password for username in list then exit.

Pretty simple.

0 Kudos
Stephanie L Davenport
Frequent Advisor

‎09-25-2008 10:07 AM

‎09-25-2008 10:07 AM

Re: useradd script for support

The issue is that we are trying to make this as easy as possible for the support staff instead of myself. :)

I just need a script that reads in the login, name and group and runs either useradd, userdel or usermod depending on which menu item they picked.

They already have access to sam (restricted) and don't like this option.
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎09-25-2008 10:35 AM

‎09-25-2008 10:35 AM

Re: useradd script for support

Hi Stephanie:

If 'sudo', restricted SAM/SMH or RBAC aren't viable options for you, then your choice may be (forbid I mention this!) a 'setuid' C-wrapper for your shell script.

Regards!

...JRF...
0 Kudos
VK2COT
Honored Contributor

‎09-25-2008 08:37 PM

‎09-25-2008 08:37 PM

Re: useradd script for support

Hello,

Take a look at my Perl script:

http://www.circlingcycle.com.au/Unix-sources/add-batch-Unix-accounts.pl.txt

Add options for userdel or usermod and
you can do it easily.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Stephanie L Davenport
Frequent Advisor

‎10-13-2008 05:39 AM

‎10-13-2008 05:39 AM

Re: useradd script for support

I will continue to look for a shell script that will do a useradd. Thanks for your help!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.