DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default "newuser"

I came across the script "newuser" at http://chip.cuccio.us/projects/hacks/, and was considering porting it to my environment.

Question - does anyone forsee a problem with setting this script setuid root, and making it executable only by members of the group "new" (which will be only one - user "new") and setting it as user "new"'s login shell?

What I'm trying to accomplish is for someone to be able to log in to my system as user "new" and basically create their own account. Once the script is finished they will then be logged out and can then log in with their new account.

As a side note - considering extending it to not allow the user to select a password during this step, but instead use apg to geterate a random password, and require the user to enter a valid email address (which this random password would be sent to). Upon new user creation the password would be expired so as soon as they log in with this random password they will be required to set their own.

Thoughts?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #2   (View Single Post)  
Old 3rd June 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Thanked 4 Times in 10 Posts
Default

what's wrong with adduser(8) ?
__________________
"No, that's wrong, Cartman. But don't worry, there are no stupid answers, just stupid people." -- Mr. Garrison

Forum Netiquette
Reply With Quote
  #3   (View Single Post)  
Old 3rd June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Can adduser work as an interactive shell for user "new"? That's the only reason why I want to use this

EDIT: I think I now know what you meant. I am reading adduser source right now. And, look at this: It's BSD licensed. Goodie. I can copy it and make the necessary changes to make it more "new-user friendly" (ie not just ask questions, but give a little info too).

Thanks!
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!

Last edited by cajunman4life; 3rd June 2008 at 06:08 PM.
Reply With Quote
  #4   (View Single Post)  
Old 4th June 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

adduser is what I usually use, it works well and is effective.

My *personal* opinion, the create there own account thing is a nice idea (especially if there are a lot of users) but if you are going to try setuid to root on it, be careful !!!


If doing that, I would use a custom program that restricts what things they can do -- for example blocking them from setting their own user and group ID numbers, allowing them to set their group(s) or restrained to only a few 'safe' groups you choose. The script can always wrap around the pw utility.

Stuff like that ;-)


Ok, so I am paranoid as much as I am lazy...
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #5   (View Single Post)  
Old 4th June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

It should be noted, adduser(8) has a companion user-friendly script rmuser(8), good to keep in ones docs directory.

Note; OpenBSD has similar scripts... of the same name, but may not be flag compatible with each other.
Reply With Quote
  #6   (View Single Post)  
Old 4th June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Quote:
Originally Posted by TerryP View Post
If doing that, I would use a custom program that restricts what things they can do -- for example blocking them from setting their own user and group ID numbers, allowing them to set their group(s) or restrained to only a few 'safe' groups you choose. The script can always wrap around the pw utility.

Ok, so I am paranoid as much as I am lazy...
Yea, I was going to take adduser and modify it for exactly these purposes. I'm going to limit available UID's to 10000+ (for my own tracking purposes) and allow GID of 9999 only (which will be set to "users"). This is the setup for me

Oh - and as far as being paranoid and lazy... both are great qualities of system admins
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #7   (View Single Post)  
Old 4th June 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

How do you remove a user from a group? I suppose I could use the -G option to
Code:
pw usermod
but that means I have to specify all the the groups that I want the user to remain in. What command do I use to simply remove one user from one group?
Reply With Quote
  #8   (View Single Post)  
Old 4th June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Well if it's not the user's primary group, you can simply remove their name from the group name in /etc/group, and force a logout (if they are currently logged in).
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #9   (View Single Post)  
Old 4th June 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

Thanks, I was aware of that but I just thought there would be a specific command for it; if there isn't such a command then its a rather surprising and silly limitation for FreeBSD in my opinion.
Reply With Quote
Old 4th June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

There may be a command, but when it comes to removing a user from a group that isn't their primary group, I prefer to edit /etc/group manually. You could use "pw -G" as you mentioned above, but you need to list every group that member should belong to (which could quickly become cumbersome for example if you have a user that belongs to 30 groups and you need to remove him from one).
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
Old 4th June 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

My guess is that FreeBSDs pw and OpenBSDs user/group programs (note, I don't use NetBSD so NetBSD users please forgive any errors!) were made with the assumption that removing a user from a group would be more often done when removing an account then adjusting memberships.


I tend to just edit /etc/group manually as well,

the file format I can remember more readily then what program I need to interact with it through ;-)
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 4th June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by tanked View Post
Thanks, I was aware of that but I just thought there would be a specific command for it; if there isn't such a command then its a rather surprising and silly limitation for FreeBSD in my opinion.
It's not a silly limitation, you're free to search man pages.. you're free to edit /etc/group, and you're also free to write your own utility for the job.

I see no limitation on FreeBSD's part..
Reply With Quote
Old 5th June 2008
BSDKaffee's Avatar
BSDKaffee BSDKaffee is offline
Real Name: Jason Hale
Coffee Addict
 
Join Date: May 2008
Location: Wintersville, Ohio
Posts: 212
Thanked 36 Times in 34 Posts
Default

Quote:
Originally Posted by tanked View Post
How do you remove a user from a group?
# pw groupmod group -d username
Probably a little safer than mangling the /etc/group file in an editor.
Reply With Quote
Old 5th June 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by BSDKaffee View Post
# pw groupmod group -d username
Probably a little safer than mangling the /etc/group file in an editor.
That command doesn't work, and looking at the man page the -d option is used for specifying a user account's home directory, but that does look like the command I would've used- or I may have used a -x option
Reply With Quote
Old 5th June 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by BSDfan666 View Post
It's not a silly limitation, you're free to search man pages.. you're free to edit /etc/group, and you're also free to write your own utility for the job.

I see no limitation on FreeBSD's part..
Already read the man page, am aware of /etc/group and as an end user its not my responsibility to write a command that common sense dictates should already exist.
Reply With Quote
Old 5th June 2008
radcapricorn radcapricorn is offline
Port Guard
 
Join Date: Jun 2008
Posts: 15
Thanked 0 Times in 0 Posts
Default

Tanked,
if FreeBSD developers would "think aforehead for you" all the time, it'll soon cease to be either Free and BSD
Reply With Quote
Old 5th June 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

I'm not asking anyone to 'think ahead' for me I'm simply saying I shouldn't be forced to write commands that really should already exist, and I don't see the logic in your suggestion that by offering a few more commands for user/group manipulation this would result in FreeBSD no longer being freely available or 'being BSD'.

Anyway, I think we've established that there is no command to remove one specific user from a specific group so editing /etc/group is the way to go.

No biggie, case closed.
Reply With Quote
Old 5th June 2008
BSDKaffee's Avatar
BSDKaffee BSDKaffee is offline
Real Name: Jason Hale
Coffee Addict
 
Join Date: May 2008
Location: Wintersville, Ohio
Posts: 212
Thanked 36 Times in 34 Posts
Default

Quote:
Originally Posted by tanked View Post
Anyway, I think we've established that there is no command to remove one specific user from a specific group so editing /etc/group is the way to go.
That's not true. I gave you the command and it does work. You claimed to have read the manpage for pw(8), so if you did you would have seen the following:
Quote:
-d oldmembers Similar to -M, this option allows the deletion of existing users from a group without replacing the existing list of members. Login names or user ids may be used, and duplicate users are silently eliminated.
Reply With Quote
Old 5th June 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

The command certainly does not work, and I cannot find the section of the man page you have provided in the man page on my system or the online man page:

http://www.freebsd.org/cgi/man.cgi?q...SE&format=html

If you are seeing this in your man page then I can only assume we are using different FreeBSD versions, here is the out put from uname -a:

FreeBSD 7.0-RELEASE-p1
Reply With Quote
Old 5th June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

The command referenced by BSDKaffee above does indeed appear in the man page, under the "GROUP OPTIONS" section. It took me a while to find it, but I found it.

Now, with all due respect, the both of you have hijacked my thread and we've gone a bit off-topic from the first post.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Opera Port - conflicting pkgs in "make install" IronForge OpenBSD Packages and Ports 5 29th October 2009 05:10 AM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
"Thanks" and "Edit Tags". diw Feedback and Suggestions 2 29th March 2009 12:06 AM
Newbie-friendly "printing in OpenBSD" guide wanted Shagbag OpenBSD Packages and Ports 5 7th July 2008 09:26 PM


All times are GMT. The time now is 08:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick