Script for disabling users (follow up for creating user)
Just to follow up on my Blog posting of the creating users script, I give you my script for disabling users (disabling etc may come to follow).. So without further a-do, here we go:PATH=$PATH:/usr/local/bin:/usr/bin:/usr/sbin:/sbinPGM=`basename $0`if [ $(id -u) -eq 0 ]; then # Logging information DATESTAMP=`date +%Y%m%d` TIMESTAMP=`date +%H%M%S` LOGDIR=/var/log/$PGM # Find out who I am ME=`whoami`while [ $# -ge 1 ] ; docase $1 in-h*)echo “Use: $PGM account”exit;;-*) die “$PGM: unknown option “$1″” ;;*) USER_TO_DIS=$1 ;;esacshiftdone# If no user is defined we have to get onewhile [ "$USER_TO_DIS" = "" ] ; doecho -n “Who do you want to disable? “read USER_TO_DIS || die “” 0done# check to be sure that the person has an account on the local machineegrep -s “^${USER_TO_DIS}:” /etc/passwd >/dev/nullcase $? in0)echo “Disabling from password file”lockit passwd.lockegrep -v “^${USER_TO_DIS}:” /tmp/passwd.tmpegrep “^${USER_TO_DIS}:” /etc/passwd | awk -F: ‘{print $1 “:*DISABLED*:” $3 “:” $4 “:” $5 “:” $6 “:” $7}’ >>/tmp/passwd.tmped /tmp/passwd.tmp </dev/nullcase $? in0) rm /tmp/passwd.tmp ;;*)mv /tmp/passwd.tmp /etc/passwd;;esacchmod a-w /etc/passwdchmod a+r /etc/passwdunlockit passwd.lock;;1)echo “$PGM: $USER_TO_DIS Does not have an account on $HOST”;;esacegrep -s “[:,]${USER_TO_DIS}$|[:,]${USER_TO_DIS},” /etc/group >/dev/nullcase $? in0)echo “Disabling from group file”lockit group.locksed -e “s/([:,])${USER_TO_DIS},/1X${USER_TO_DIS},/” -e “s/([:,])${USER_TO_DIS}$/1X${USER_TO_DIS}/” /tmp/group.tmpcmp /etc/group /tmp/group.tmp >/dev/nullcase $? in0) rm /tmp/group.tmp ;;*)mv /tmp/group.tmp /etc/group#/etc/dist/bin/mail-group;;esacchmod a-w /etc/groupchmod a+r /etc/groupunlockit group.lock;;1)echo “$PGM: $USER_TO_DIS Does not have a group entry on $HOST”;;esac# remove any left over mail spool filerm -f /var/mail/${USER_TO_DIS}# insure log directory existstest -d $LOGDIR || mkdir -p $LOGDIRLOGFILE=$LOGDIR/$DATESTAMP# log what we doecho “$TIMESTAMP-$ME $USER_TO_DIS” >>$LOGFILEexitelse echo “Only root may run $PGM” exit 2fiPlease any feedback is quite helpful, and any input to make the script better is obviously welcomed. maaco . Later I’ll post up some stuff for quarterly changes, enabling disabled users, and a few other things I’ve been putting together lately. plumbing supply . Hope this series will be helpful.
(No Ratings Yet)
Loading ...
Loading ...
What about just using
userdel -r username
?
Sorry about that. I used the wrong title.. This is actually used to disable a user by adding X in front of the name. I disable the user for a quarter, and every quarter I run a script that then deletes a user that is connected out (with the X). This allows me to enable an account if a user did not leave. Again, reporting for an enterprise environment for controls for SOX.
I’ll modify the tittle since it should be “disable user” thanks
hi,
USER_TO_DIS can contain shell meta-chars which leads to execution of commands embedded in the user’s name… unlikely. but what about local user owning/modifying /tmp/etc/passwd.tmp to add their own root account?
bye
thomas
Hi Thomas,
Great suggestions. Since you must be root while running this script I guess I am relying on the sysadmins (currently only me, but this is being built with expansion of our environment in mind) to use them correctly. the /tmp/passwd.tmp is written as root, thus a regular local user cannot modify it in the process (i’ll verify that).
I will also try to inject some commands in USER_TO_DIS to see if I should disallow some characters.. probably just ` .. thanks for the suggestions.. that’s exactly the type of feedback I was looking for.
There are a lot that we do not know, could you tell us more?