[K12OSN] OT - More scripting help

Ray Garza garza.r.tx at gmail.com
Tue Nov 6 16:18:11 UTC 2007 

Dimitri Yioulos wrote:
> Folks,
>
> Sincere apologies if I'm asking questions here that really veer away from 
> L12LTSP, but I've always gotten great, timely responses from you extremely 
> bright people, and so, I go back to the well :-)  .  Hopefully, the 
> questions/responses are useful to others.
>
> As I noted in a previous post, I've created a script for our high school 
> intern that allows him to do certain tasks, such as create accounts, change 
> user passwords, etc.  I've given access to the appropriate commands via sudo, 
> and have added the script path and "exit" to the intern's .bash_profile so 
> that at login, he goes directly into a script-generated menu, and upon 
> leaving the menu, he goes back to a login prompt.  It all works quite well.
>
> Well, almost.  A bugaboo that I found was that the intern could change root's 
> password!  Not that I don't trust the lad, but I reckon it's just not good 
> policy to allow that.  But, how to prevent?  I tried the following in his 
> sudo profile (found the Cmnd_Alias "trick" on the Net):
>
> Cmnd_Alias      PWR=/usr/bin/passwd *root*
> Cmnd_Alias      PW=/usr/bin/passwd [!-]?*
>
> user ALL= NOPASSWD: /usr/sbin/useradd, 
> PW, !PWR, /bin/mkdir, /bin/chown, /bin/chmod, /bin/sed, /bin/cp, /bin/rm, /etc/rc.d/init.d/httpd, /usr/local/test4.sh
>
> Didn't work - the intern could still change root's pw.  I 
> tried "/usr/bin/passwd !root" - n.g.  I tried the follwing in my script (not 
> sure about the if/elif/else construct):
>
>         2)
>
>                 read -p "Enter username: " USERNAME
>                 egrep "^$USERNAME" /etc/passwd >/dev/null
>                 if [ $? -ne 0 ]; then
>                         echo
>                         echo "User $USERNAME doesn't exist! Create the user 
> first"
>                 elif [[ $? == "root" ]]; then
>                         echo
>                         echo "You're not allowed to change root's password"
>                 else
>                 sudo /usr/bin/passwd $USERNAME
>                 [ $? -eq 0 ] && echo "Password changed!"
>                 fi
>                 echo
>                 echo "Press Enter key" ; read ;;
>
> Still no joy - root's pw could be changed.  Arrrgh!
>
> How can I keep the intern from changing root's password?  Your help is most 
> appreciated.
>
> Dimitri
>
>   
The $? is numeric not alphnumeric. Change the the line
elif [[ $? = "root" ]]; then

to

elif [[ $USERNAME = "root" ]]; then

and it should work.

Ray

More information about the K12OSN mailing list