Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restrict user to password resets only 1

Status
Not open for further replies.

Stinney

IS-IT--Management
Nov 29, 2004
2,029
US
Is there a way to create a user that can only access the system to do password resets?

- Stinney

Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
 
We use a custom shell script that gets called from .profile and sudo to do it here. When the user (helpdesk) logs in they are immediately dropped into a script for reseting passwords. The script uses sudo to do the work, and then the session exits.

HTH


 
Sounds cool, but over my head. But good information that we can bring back to the Unix gurus and ask them to develop.

- Stinney

Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
 
Here it is. Note that it prevents resetting root, etc. You can add more userids if you have other ids that you want to prevent the script users from resetting; oracle for example. Also, it forces the user to change their password on their next login.

The helpdesk user's .profile is also below. Note that it traps interrupts and exits immediately after the reset script finishes.


#######--- Cut here -- .profile
trap "" INT

stty erase ^H

export PATH=$PATH:/appbin/user_maint

/usr/local/bin/sudo user_reset

exit


#######--- Cut here -- user_reset
#!/bin/ksh

##This script asks for a username and resets the password of the given user.


get_response()
{
read response

case x"$response" in
xQuit|xquit|xQUIT|xq|xQ)
exit;;
x) response=$1;
export response;;
esac
}


invalid_user()
{

print
print "***********************"
print " You may not maintain unix system accounts"
print "***********************"
print
exit
}


while : ;
do
print
print
print
print -n " Enter the UNIX Account to reset or 'q' to quit: "
get_response

UXUSER=$response
if [ "$UXUSER" = "" ]
then
print -n "You must enter a user to reset: "
continue
else
case $UXUSER in
root) invalid_user ;;
bin) invalid_user ;;
sys) invalid_user ;;
adm) invalid_user ;;
lp) invalid_user ;;
uucp) invalid_user ;;
nuucp) invalid_user ;;
listen) invalid_user ;;
nobody) invalid_user ;;
noaccess) invalid_user ;;
nobody4) invalid_user ;;
esac
fi

print -n "resetting password for $UXUSER : "
print
/usr/bin/passwd $UXUSER
/usr/bin/passwd -f $UXUSER
done


_______
Linnorm
 
Linnorm,

What directory do I put the script in? Does it matter?

- Stinney

Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
 
I've got it in /appbin/user_maint, but it's part of a larger script system contained there. You can put it wherever you want, just make sure that the path in .profile points to your chosen location.



_______
Linnorm
 
Linnorm,

This script works great. I had to add a wait command at the begining of the invalid_user subroutine otherwise it wouldn't print out the message for some reason.

I counldn't use sudo, but created an account with root permission and changed their shell in the passwd file to the directory and path of the script.

It all seems to be working great. I've kicked the tires and tried to break it, but I can only change passwords and can't access anything else in the system.

Thanks a million!



- Stinney

Favorite all too common vendor responses: "We've never seen this issue before." AND "No one's ever wanted to use it like that before.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top