How do I set up a user where that user can only be sudo'd to and can't be logged into directly with a username and password through the login prompt? In other words, I want people to authenticate themselves and then if they want to use this account they would do a "sudo -u <username> bash
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Setting up a sudo only account...How?
- Thread starter gharabed
- Start date
Easy, don't set the password (optionally, don't even create a home directory), and don't give said user permission to passwd. Granted a password will exsist, but it will be created at pseudo-random without any care for ease of rememberance. If someone did manage to log in as the user, there won't be any regular dot files to do all the userful stuff. And/Or you could have a home directory with the .login containing only the logout command -- but I've never tried this.
Also, PAM might be able to be set up with the no login rule.
[plug=shameless]
[/plug]
Also, PAM might be able to be set up with the no login rule.
[plug=shameless]
[/plug]
This can be handled relatively easily with some minor coding and a group creation.
1.) Create a group called GENERIC (or something equivalent).
2.) Make this the primary group of the user that should be be logged in to directly.
3.) Put some code in the system profile (/etc/profile) that
a.) Disables Control C, etc.
b.) Check to see if the if "whoami" and "who am i" match.
c.) If so, check for the GENERIC group, if found, display
a message that this account must be su'ed to
d.) Log that process out
c.) If GENERIC not found, turn control C, etc. back on
and proceed with normal /etc/profile, etc. processing.
Here is some code that will do the above. Note that most /etc/profiles already have the appropriate trap statements to disable and re-enable control C, etc. processing - so the trap statements are not included here.
1.) Create a group called GENERIC (or something equivalent).
2.) Make this the primary group of the user that should be be logged in to directly.
3.) Put some code in the system profile (/etc/profile) that
a.) Disables Control C, etc.
b.) Check to see if the if "whoami" and "who am i" match.
c.) If so, check for the GENERIC group, if found, display
a message that this account must be su'ed to
d.) Log that process out
c.) If GENERIC not found, turn control C, etc. back on
and proceed with normal /etc/profile, etc. processing.
Here is some code that will do the above. Note that most /etc/profiles already have the appropriate trap statements to disable and re-enable control C, etc. processing - so the trap statements are not included here.
Code:
Generic_user ()
{
echo ""
echo ""
echo ""
echo " This is a secured account!"
echo ""
echo ""
echo ""
echo " You need to either su or su - to this account."
echo ""
echo ""
sleep 5
}
username=`whoami | awk '{print $1}'`
rname=`who am i | awk '{print $1}'`
if [ $rname = $username ]
then
groups $username | grep GENERIC > /dev/null && Generic_user && kill -9 $$
fi- Status
Similar threads
- Locked
- Question