We use a custom shell script that gets called from .profile and sudo to do it here. When the user (helpdesk) logs in they are immediately dropped into a script for reseting passwords. The script uses sudo to do the work, and then the session exits.
Here it is. Note that it prevents resetting root, etc. You can add more userids if you have other ids that you want to prevent the script users from resetting; oracle for example. Also, it forces the user to change their password on their next login.
The helpdesk user's .profile is also below. Note that it traps interrupts and exits immediately after the reset script finishes.
#######--- Cut here -- .profile
trap "" INT
stty erase ^H
export PATH=$PATH:/appbin/user_maint
/usr/local/bin/sudo user_reset
exit
#######--- Cut here -- user_reset
#!/bin/ksh
##This script asks for a username and resets the password of the given user.
get_response()
{
read response
case x"$response" in
xQuit|xquit|xQUIT|xq|xQ)
exit;;
x) response=$1;
export response;;
esac
}
invalid_user()
{
print
print "***********************"
print " You may not maintain unix system accounts"
print "***********************"
print
exit
}
while : ;
do
print
print
print
print -n " Enter the UNIX Account to reset or 'q' to quit: "
get_response
UXUSER=$response
if [ "$UXUSER" = "" ]
then
print -n "You must enter a user to reset: "
continue
else
case $UXUSER in
root) invalid_user ;;
bin) invalid_user ;;
sys) invalid_user ;;
adm) invalid_user ;;
lp) invalid_user ;;
uucp) invalid_user ;;
nuucp) invalid_user ;;
listen) invalid_user ;;
nobody) invalid_user ;;
noaccess) invalid_user ;;
nobody4) invalid_user ;;
esac
fi
I've got it in /appbin/user_maint, but it's part of a larger script system contained there. You can put it wherever you want, just make sure that the path in .profile points to your chosen location.
This script works great. I had to add a wait command at the begining of the invalid_user subroutine otherwise it wouldn't print out the message for some reason.
I counldn't use sudo, but created an account with root permission and changed their shell in the passwd file to the directory and path of the script.
It all seems to be working great. I've kicked the tires and tried to break it, but I can only change passwords and can't access anything else in the system.
Thanks a million!
- Stinney
Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.