[K12OSN] OT - More scripting help
Ray Garza
garza.r.tx at gmail.com
Tue Nov 6 16:18:11 UTC 2007
Dimitri Yioulos wrote:
> Folks,
>
> Sincere apologies if I'm asking questions here that really veer away from
> L12LTSP, but I've always gotten great, timely responses from you extremely
> bright people, and so, I go back to the well :-) . Hopefully, the
> questions/responses are useful to others.
>
> As I noted in a previous post, I've created a script for our high school
> intern that allows him to do certain tasks, such as create accounts, change
> user passwords, etc. I've given access to the appropriate commands via sudo,
> and have added the script path and "exit" to the intern's .bash_profile so
> that at login, he goes directly into a script-generated menu, and upon
> leaving the menu, he goes back to a login prompt. It all works quite well.
>
> Well, almost. A bugaboo that I found was that the intern could change root's
> password! Not that I don't trust the lad, but I reckon it's just not good
> policy to allow that. But, how to prevent? I tried the following in his
> sudo profile (found the Cmnd_Alias "trick" on the Net):
>
> Cmnd_Alias PWR=/usr/bin/passwd *root*
> Cmnd_Alias PW=/usr/bin/passwd [!-]?*
>
> user ALL= NOPASSWD: /usr/sbin/useradd,
> PW, !PWR, /bin/mkdir, /bin/chown, /bin/chmod, /bin/sed, /bin/cp, /bin/rm, /etc/rc.d/init.d/httpd, /usr/local/test4.sh
>
> Didn't work - the intern could still change root's pw. I
> tried "/usr/bin/passwd !root" - n.g. I tried the follwing in my script (not
> sure about the if/elif/else construct):
>
> 2)
>
> read -p "Enter username: " USERNAME
> egrep "^$USERNAME" /etc/passwd >/dev/null
> if [ $? -ne 0 ]; then
> echo
> echo "User $USERNAME doesn't exist! Create the user
> first"
> elif [[ $? == "root" ]]; then
> echo
> echo "You're not allowed to change root's password"
> else
> sudo /usr/bin/passwd $USERNAME
> [ $? -eq 0 ] && echo "Password changed!"
> fi
> echo
> echo "Press Enter key" ; read ;;
>
> Still no joy - root's pw could be changed. Arrrgh!
>
> How can I keep the intern from changing root's password? Your help is most
> appreciated.
>
> Dimitri
>
>
The $? is numeric not alphnumeric. Change the the line
elif [[ $? = "root" ]]; then
to
elif [[ $USERNAME = "root" ]]; then
and it should work.
Ray
More information about the K12OSN
mailing list