Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Restrict user to password resets only 1
- Thread starter Stinney
- Start date
-
1
- #2
We use a custom shell script that gets called from .profile and sudo to do it here. When the user (helpdesk) logs in they are immediately dropped into a script for reseting passwords. The script uses sudo to do the work, and then the session exits.
HTH
HTH
- Thread starter
- #3
Sounds cool, but over my head. But good information that we can bring back to the Unix gurus and ask them to develop.
- Stinney
Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
- Stinney
Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
malayzorro
Technical User
linnorm...if possible..maybe you can share the script..
Here it is. Note that it prevents resetting root, etc. You can add more userids if you have other ids that you want to prevent the script users from resetting; oracle for example. Also, it forces the user to change their password on their next login.
The helpdesk user's .profile is also below. Note that it traps interrupts and exits immediately after the reset script finishes.
#######--- Cut here -- .profile
trap "" INT
stty erase ^H
export PATH=$PATH:/appbin/user_maint
/usr/local/bin/sudo user_reset
exit
#######--- Cut here -- user_reset
#!/bin/ksh
##This script asks for a username and resets the password of the given user.
get_response()
{
read response
case x"$response" in
xQuit|xquit|xQUIT|xq|xQ)
exit;;
x) response=$1;
export response;;
esac
}
invalid_user()
{
print
print "***********************"
print " You may not maintain unix system accounts"
print "***********************"
print
exit
}
while : ;
do
print
print
print
print -n " Enter the UNIX Account to reset or 'q' to quit: "
get_response
UXUSER=$response
if [ "$UXUSER" = "" ]
then
print -n "You must enter a user to reset: "
continue
else
case $UXUSER in
root) invalid_user ;;
bin) invalid_user ;;
sys) invalid_user ;;
adm) invalid_user ;;
lp) invalid_user ;;
uucp) invalid_user ;;
nuucp) invalid_user ;;
listen) invalid_user ;;
nobody) invalid_user ;;
noaccess) invalid_user ;;
nobody4) invalid_user ;;
esac
fi
print -n "resetting password for $UXUSER : "
print
/usr/bin/passwd $UXUSER
/usr/bin/passwd -f $UXUSER
done
_______
Linnorm
The helpdesk user's .profile is also below. Note that it traps interrupts and exits immediately after the reset script finishes.
#######--- Cut here -- .profile
trap "" INT
stty erase ^H
export PATH=$PATH:/appbin/user_maint
/usr/local/bin/sudo user_reset
exit
#######--- Cut here -- user_reset
#!/bin/ksh
##This script asks for a username and resets the password of the given user.
get_response()
{
read response
case x"$response" in
xQuit|xquit|xQUIT|xq|xQ)
exit;;
x) response=$1;
export response;;
esac
}
invalid_user()
{
print "***********************"
print " You may not maintain unix system accounts"
print "***********************"
exit
}
while : ;
do
print -n " Enter the UNIX Account to reset or 'q' to quit: "
get_response
UXUSER=$response
if [ "$UXUSER" = "" ]
then
print -n "You must enter a user to reset: "
continue
else
case $UXUSER in
root) invalid_user ;;
bin) invalid_user ;;
sys) invalid_user ;;
adm) invalid_user ;;
lp) invalid_user ;;
uucp) invalid_user ;;
nuucp) invalid_user ;;
listen) invalid_user ;;
nobody) invalid_user ;;
noaccess) invalid_user ;;
nobody4) invalid_user ;;
esac
fi
print -n "resetting password for $UXUSER : "
/usr/bin/passwd $UXUSER
/usr/bin/passwd -f $UXUSER
done
_______
Linnorm
- Thread starter
- #6
- Thread starter
- #8
Linnorm,
This script works great. I had to add a wait command at the begining of the invalid_user subroutine otherwise it wouldn't print out the message for some reason.
I counldn't use sudo, but created an account with root permission and changed their shell in the passwd file to the directory and path of the script.
It all seems to be working great. I've kicked the tires and tried to break it, but I can only change passwords and can't access anything else in the system.
Thanks a million!
- Stinney
Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
This script works great. I had to add a wait command at the begining of the invalid_user subroutine otherwise it wouldn't print out the message for some reason.
I counldn't use sudo, but created an account with root permission and changed their shell in the passwd file to the directory and path of the script.
It all seems to be working great. I've kicked the tires and tried to break it, but I can only change passwords and can't access anything else in the system.
Thanks a million!
- Stinney
Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
- Status
Similar threads
- Locked
- Question