I was wondering if it was possible to override the SKEL property when adding a user in Linux.
Man page gives me everything to change dynamically any property (SHELL, HOME, ...) but not SKEL.
What I want to do is find a way to assign one profile or another to the users I'm creating.
For instance, I need to create a user with a .profile in which VAR=value1, and another user with a .profile in which VAR=value2. My idea was to create different SKEL, one for those who need VAR=value1, another for those needing VAR=value2, and simply execute adduser ... -D -magic_option /SKEL/for/value1 or adduser ... -D -magic_option /SKEL/for/value2. But -magic_option doesn't seem to exist.
Any suggestion?
Of course, just use the -k option in useradd:
-k, --skel SKEL_DIR
The skeleton directory, which contains files and directories to be
copied in the user's home directory, when the home directory is
created by useradd.
This option is only valid if the -m (or --create-home) option is
specified.
If this option is not set, the skeleton directory is defined by the
SKEL variable in /etc/default/useradd or, by default, /etc/skel.
If possible, the ACLs and extended attributes are copied.
So you can create your /my/skel_for_users and /my/other_skel_for_users and use either of them whenever creating one.
Related
I have a script in a user /home directory and I want to execute this script with an other user.
The script is in UserA home :
/home/UserA/command/command.sh
I want to execute this script with /home/UserB
What I did and wanted to know if there is an easier way to do it , is :
I gave the right to write and execute on this directory to other (chmod 703): /home/UserA/command
Is there a way to give the right only to UserB instead of other ?
In /home/UserB/.bash_profile , I added in the path /home/UserA/command
Another problem, I have, is that in the script command.sh, I use a variable $LISTPATH ($HOME/List) and this variable is defined in the UserA .bash_profile.
So when I start the script from /home/UserB, this variable is always empty.
Do I need to also add this variable in the .bash_profile of UserB:
$LISTPATH=/home/UserA/List
Thanks for your help
What a mess!
In my opinion:
You can create a group which UserB belongs to so you can assign this group to /home/userA/command and set right permission (such as chmod 730 /home/userA/command).
You better put the variable $LISTPATH on the top of your script.
Anyway, I think you better reorganize your project, you better put the script in /opt/< some subfolder>... instead of /home/userA/command.
I have a unix command 'abc' which gives me an output
This abc lies on my server.
But when i run this command from server, i want to restrict the output of it to be seen by people.
By the above statement , i meant..
For eg. If i say:
ls dirname
I can see the output of the above command on the console.
So, if the command is run from command-line, i dont want to have echoed on the console. I cant use /dev/null as I am using the same command from my program where I need the output to be assigned to a variable and then use it further in my application.
However, I want to get the output of this command when I call this from my program.
How can I differentiate the call in this regard.
The command whoami gives you the current logged user, and the command last -i outputs information of the last logged users in the system, including the IP address (3rd column) and the timestamp or a string stating that the user is stil logged in.
With that in mind you could pipe these commands:
last -i | grep $(whoami) | grep 'still logged in'
which will provide an output like this:
(username) pts/2 0.0.0.0 Wed Dec 23 18:58 still logged in
(username) :0 0.0.0.0 Wed Dec 23 11:13 still logged in
so if you are running a shell in the same host, the IP will be 0.0.0.0 and different otherwise. You can extract the IP string by piping awk at the end of the command.
However, addhering to the philosophy in unix systems of Do One Thing and Do It Well, I'd suggest a different approach, split your command into 2 different commands:
A command to be used by the clients, where the output is whatever you
want the clients to see
Another command (offering 2 options, since there isnt much detail in the question):
Either extending the first command, adding the additional output, and using this one from your application
Or just generating the additional output, and using a combination of the 2 commands from your application
Some of the benefits you can get by following this approach:
Performing checks to verify where the command was issued from, is no longer necessary
Avoid coupling issues
Easier to maintain
Updated: added the means to extract the IP of the current user at the beggining of the answer.
You were a little vague on the complete setup, so I'll have to infer a few things. Since you mentioned, "my" server, I assume you can set permissions on files, change ownership on files, etc (e.g. you can become root).
I also have to infer that the target abc program just produces some output and doesn't need to modify any files to speak of [other than (e.g.) /tmp/temp.$$]
As an example, let's do this from your home directory. Move the program abc to $HOME/private_bin and set the directory permission to 700 which means that only you can execute it.
Create a second directory: $HOME/public_bin that has normal permissions. Create a "launcher" program [let's call it abcpub] and put it in this directory. Set the permissions of abcpub to 4741. It's now a setuid program. Note that any non-root user may do this for files they own. It is not like creating a sudo because an ordinary user would need to do chown root ...
Now we're set ...
You can access the real abc program anytime you want. Others have no direct access to abc.
The launcher abcpub will allow others to have access to abc, but the launcher can apply whatever restrictions you desire: including no access, output to /dev/null, etc. abcpub can look at getuid and geteuid to determine who is executing it [you or somebody else]
We did the above example using your own uid and home directory. But, we can repeat the process by creating an "abc" user in /etc/passwd and a /home/abc. The abc user could be set up with a shell of /sbin/nologin. Thus, it's similar to nobody and it can't hurt anything.
It may be even better doing this by creating a setgrp program instead of setuid as that allows better comingling. The original user could retain their user permissions but still get access via the new group.
Also, it may be possible to configure sudo to get what you want.
Assuming node is running as root, how do I:
Add a new local (OS) user account and get its uid?
Delete an account by name?
The accounts will be used for daemon processes, so they needn't be full-fledged user accounts.
Doing this on Linux is priority one, doing it on OS X would be nice, and super bonus for supporting Windows.
On Linux, I suppose you could just spawn useradd, but how would you determine the new user's uid? Would it be better (or worse) to modify /etc/passwd and friends directly?
On Windows, it looks like NetUserAdd is the right place to look; has someone already written an addon to call it?
For Linux, once you've created the account with useradd, you could call getent passwd <username> to see all the main relevant account details, including, in the 3rd field, the uid.
Example:
# useradd -c "Jamie Carter" jamiec
# getent passwd jamiec
yields:
jamiec:x:2722:500:Jamie Carter:/home/jamiec:/bin/false
To grab the uid in a one liner, you could combine the cut command to grab the 3rd field while treating : as the delimiter:
$ getent passwd jamiec | cut -d: -f 3
2722
Generally it's much safer and easier not to manipulate /etc/passwd and friends directly. Most of what you would need to do is likely already in a system command somewhere. For example, userdel <username> will delete an account by name from /etc/passwd, but also takes care of removing the user from /etc/groups so you don't have orphaned information left there. (You would have to deal with this yourself if you wrote your own user-deleter.)
This is a big & broad question (MacOS, Windows, Linux all together), but to create a new user from the command line on the Macintosh is not trivial and would require you to be authenticated as root / admin.
I've created a new whoami command which requires a fake username and have put it in the PATH by adding it to ~/.profile . It is created in a way that whoami is called before actual the actual whoami from Linux.
The main reason to do this is because I am remote accessing a Hadoop cluster and want the copied files to be under the fake username.
This works fine when I call whoami in the shell and even calling $PATH shows the path to my created whoami before everything else. But for some reason, when Hadoop is called, it doesn't pick the created `whoami'.
Can someone help me with how to fix this?
thanks
Most applications do not use whoami to determine a user's username or group. For instance, in bash you can use the command id to find more detailed information about yourself or id [username] (such as id root) to find out more detailed information about other users. Groups can be found with groups as well. Also, different programming languages, such as C, have their own methods of determining user identities such as the getuid() command.
If you really "need" to go as far as faking your user account, you'll need to go down to OS level and create hooks into the kernel/API that handles those methods.
Is it possible that you simply chown the files after they are copied instead?
UPDATE:
It appears that some releases of Hadoop do actually use whoami (my own implementation w/ clustering does not).
In this event, the best (a term loosely used) suggestion would be to move the legitimate whoami executable and create a whoami shell script that goes in it's place. The custom script should validate the current user and if it's "hadoop", return whatever faked username you want - otherwise return valid output. Igor's answer would work in this case.
I suppose that hadoop uses other PATH variable then you have in your shell.
You can tune its PATH and add the directory with fake whoami to its beginning.
When it is impossible,
you can write a small wrapper for whoami (I'm not sure that it is a good idea but you can do this if you want) that will run original whoami except when the script is executed by hadoop:
#!/bin/sh
WHOAMI=/bin/whoami.orig
if [ "$($WHOAMI)" = hadoop ]
then
echo fake
else
exec $WHOAMI "$#"
fi
When I tried to simulate the permission system under Linux, some strange things came about.
I created a directory 'main' by user 'normal', and created directory 'aha' which permission is 700 using root.
so the owner of 'main' is 'normal', if the permission is 755, I can delete 'aha' just using 'normal' user although its owner is root.
but when i put a file in 'aha', everything is changed. I can not remove 'aha' due to there's still a file in it.
so, my question is, since 'aha' is 700 by root, how can 'normal' know it's empty or not?
My further question is : what does read permission of a directory really mean?
Think of a UNIX directory as a drawer of index cards in the library catalog.
In order to know what books there are, you need read permission on the "drawer". In order to create or remove new "books", you need write permissions (which give you ability to put new cards, or remove existing cards from the drawer). In order to "traverse" the directory to a lower level "sub-drawer", you need execute permission on the drawer itself.
If you already know that book /foo/bar/baz exists, you don't need read permissions on /, /foo or /foo/bar, but you do need execute permissions on all of them.
A given book could be referenced by multiple "cards" in the same or separate "drawer" (that's hard links).
A "card" can reference another card (that's symlinks). Symlinks could became "dangling" (if the other card is removed).
When a book is not referenced by any card in any of the drawers, it "evaporates" from the library.
since 'aha' is 700 by root, how can 'normal' know it's empty or not
Well, one way is to try to remove it. If you succeed, it must have been empty. If it was not empty, "normal" can't find out anymore than that, since "normal" can't read the directory, and therefore can't find how many cards are in that "drawer", or what they are called.
Update:
why do you need execute permissions to traverse a directory.
Because that's the definition of the eXecutable bit for directories. Since you can't reasonably execute a directory, that bit would be wasted otherwise. No, the . and .. files have nothing to to do with the execute bit.
very basically a file/dir permission of 700 is not seven hundred but actually
owner = 7
group = 0
everyone = 0
the numbers pertain to a permission level
0 = no permission
1 = allow to execute (run file or access directory)
2 = allow to write (manipulate)
4 = allow to read (see)
you add the permissions levels up to assign more then one permission for example
$ chmod 754 foo
gives full access to the owner (1+2+4), execute 'n' read to the group (1+4), and read to everyone (4) look at
http://www.linuxclues.com/articles/16.htm
http://www.tuxfiles.org/linuxhelp/filepermissions.html
for more info