Script for disabling users (follow up for creating user)
Just to follow up on my Blog posting of the creating users script, I give you my script for disabling users (disabling etc may come to follow).. So without further a-do, here we go:
PATH=$PATH:/usr/local/bin:/usr/bin:/usr/sbin:/sbin
PGM=`basename $0`
if [ $(id -u) -eq 0 ]; then
# Logging information
DATESTAMP=`date +%Y%m%d`
TIMESTAMP=`date +%H%M%S`
LOGDIR=/var/log/$PGM
# Find out who I am
ME=`whoami`
while [ $# -ge 1 ] ; do
case $1 in
-h*)
echo “Use: $PGM account”
exit
;;
-*) die “$PGM: unknown option \”$1\”" ;;
*) USER_TO_DIS=$1 ;;
esac
shift
done
# If no user is defined we have to get one
while [ "$USER_TO_DIS" = "" ] ; do
echo -n “Who do you want to disable? ”
read USER_TO_DIS || die “” 0
done
# check to be sure that the person has an account on the local machine
egrep -s “^${USER_TO_DIS}:” /etc/passwd >/dev/null
case $? in
0)
echo “Disabling from password file”
lockit passwd.lock
egrep -v “^${USER_TO_DIS}:” /tmp/passwd.tmp
egrep “^${USER_TO_DIS}:” /etc/passwd | \
awk -F: ‘{print $1 “:*DISABLED*:” $3 “:” $4 “:” $5 “:” $6 “:” $7}’ >>/tmp/passwd.tmp
ed /tmp/passwd.tmp <
w
q
EOF
cmp /etc/passwd /tmp/passwd.tmp >/dev/null
case $? in
0) rm /tmp/passwd.tmp ;;
*)
mv /tmp/passwd.tmp /etc/passwd
;;
esac
chmod a-w /etc/passwd
chmod a+r /etc/passwd
unlockit passwd.lock
;;
1)
echo “$PGM: $USER_TO_DIS Does not have an account on $HOST”
;;
esac
egrep -s “[:,]${USER_TO_DIS}$|[:,]${USER_TO_DIS},” /etc/group >/dev/null
case $? in
0)
echo “Disabling from group file”
lockit group.lock
sed -e “s/\([:,]\)${USER_TO_DIS},/\1X${USER_TO_DIS},/” \
-e “s/\([:,]\)${USER_TO_DIS}$/\1X${USER_TO_DIS}/” \
/tmp/group.tmp
cmp /etc/group /tmp/group.tmp >/dev/null
case $? in
0) rm /tmp/group.tmp ;;
*)
mv /tmp/group.tmp /etc/group
#/etc/dist/bin/mail-group
;;
esac
chmod a-w /etc/group
chmod a+r /etc/group
unlockit group.lock
;;
1)
echo “$PGM: $USER_TO_DIS Does not have a group entry on $HOST”
;;
esac
# remove any left over mail spool file
rm -f /var/mail/${USER_TO_DIS}
# insure log directory exists
test -d $LOGDIR || mkdir -p $LOGDIR
LOGFILE=$LOGDIR/$DATESTAMP
# log what we do
echo “$TIMESTAMP-$ME $USER_TO_DIS” >>$LOGFILE
exit
else
echo “Only root may run $PGM”
exit 2
fi
Please any feedback is quite helpful, and any input to make the script better is obviously welcomed. Later I’ll post up some stuff for quarterly changes, enabling disabled users, and a few other things I’ve been putting together lately. Hope this series will be helpful.
(No Ratings Yet)
Loading ...
Loading ...
What about just using
userdel -r username
?
Sorry about that. I used the wrong title.. This is actually used to disable a user by adding X in front of the name. I disable the user for a quarter, and every quarter I run a script that then deletes a user that is connected out (with the X). This allows me to enable an account if a user did not leave. Again, reporting for an enterprise environment for controls for SOX.
I’ll modify the tittle since it should be “disable user” thanks
hi,
USER_TO_DIS can contain shell meta-chars which leads to execution of commands embedded in the user’s name… unlikely. but what about local user owning/modifying /tmp/etc/passwd.tmp to add their own root account?
bye
thomas
Hi Thomas,
Great suggestions. Since you must be root while running this script I guess I am relying on the sysadmins (currently only me, but this is being built with expansion of our environment in mind) to use them correctly. the /tmp/passwd.tmp is written as root, thus a regular local user cannot modify it in the process (i’ll verify that).
I will also try to inject some commands in USER_TO_DIS to see if I should disallow some characters.. probably just ` .. thanks for the suggestions.. that’s exactly the type of feedback I was looking for.
There are a lot that we do not know, could you tell us more?