Im using cent os 6 for my work. For educational purposes I want to add user to the cent os by only editing configuration files.I know we can easly add user by useradd command and change their password using passwd command. But I need to use exactly above mentioned way. To do this first I need to understand what are the files I have to change
By searching I found that following files are responsible for handling user
/etc/passwd
/etc/group
/etc/shadow
/etc/gshadow
What I did is first I add the user using useradd command and then study the strings that commands created in above files. And then I try to replicate it with manually editing files using VI editor. After I replicate every line of string I make a directory for my new user in /home. the I reboot the VM and try to login as manually created user. I can log in without any problems but the terminal showing bash-4.1$ instead of my username. but when I use whoami terminal prints my username correctly.
My question are
Is there any other files do I need to modify to add user successfully?
By adding user manually what are the functionalities that user lost ?
How to create MD5 hashed password for manually created user ?
I know to you this is may be little bit odd. but I need to do this exactly this way. If this question is inappropriate please let me know without down voting
thanks
Those are the essentials, obviously you'll need to create a home directory for that user with proper permissions, as well as any additional user specific resources.
You might want to also read up on the Pluggable Authentication Module or PAM. This provides increased authentication functionality to Linux beyond passwd, group, shadow files.
Also check out the GETPWNAM() system call.
=D Enjoy the Posix!
Serverfault on password hash creation below.
REF: https://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow
Related
I am looking at building a script, which eventually needs to install some application - copying folders/files to certain places in Mac & Linux. User should not be able to delete those folders/files or the script i pass to user. Is there any way to achive this?
For mac - sudo chflags schg /path/to/file - can be set.
For Linux - i can set sticky bit via chmod +s /path/to/file.
Problem is, if the user knows administrator password ( root password i meant), then they can change the permissions and then delete using rm -rf.
Question is how do i catch them? How do i make sure, if in case user as root runs rm -rf, its catched, and my files/folders does not get deleted.
Any pointers to this are greatly helpful.
Thanks
EDITED:
Due to a clarifying note by the OP, the purpose here is to control network users who somehow got the root password, rather than subvert the will of the lawful owner of the machine.
You cannot do what you're trying to do, nor should you.
If the user has the root password, it means you trust her with the computer. If you want someone not to be able to do something, don't give them the root password.
The attributes you mention are good ways to prevent accidental deletion of files, and it is all you can expect to achieve.
Again, if you want them not to delete the files, don't give them root.
I have an Informatica workflow that is supposed to generate a .dat file.
The issues is that the wroflow creates a 0 byte file, but then can not write to the file it JUST created. It's baffling.
The target directory is a linux server, and there is a developer on our team that is able to run the workflow just fine, without this file-writing issue.
However, I have checked with our linux admins and several of them have confiremd that there is no major difference in access/permissions between her linux ID and my own. She is in two more user groups than I am, but I have been told that they would not have anything to do with this issue.
The ID used by the connection object is also in the same user group as my id on the linux server, enduser. Therefore it should be able to write to my home directory.
The workaround we have devised is to remove the files using my id, touch the files and then chmod them. This allows the id used by the Informatica connection object to write to the files, but it is not a permanent (or correct) fix.
My best guess is that this is most likely some sort of (very obscure) Linux environment issue.
I am also not able to make any changes to the Informatica workflow or mapping, since it is built correctly and this issue appears to be completely local to certain linux user ID's.
Does the etluser have write permissions? have you tried running a post session command script for chmod and giving full permissions and then writing into the file?
i am trying to write a custom (GUI) program installer which needs to run as a specific (system) user (without a home directory) - let's call him "installer". Things i have tried or pondered to achieve this in a couple of different ways:
launching the GUI installer app as user "installer" through (gk)su(do) (-u). the problem is that a. these commands are not available on every
distribution or do not behave the same everywhere thanks to internal aliases, and b. the x server does not allow me to connect as a different user without some potentially insecure "xhost +" modification (the old "cannot connect to X server :0.0" problem).
avoiding the X server for the installer routine and create a separate (CLI) binary for the chmod/file copy process, while the GUI runs in current user mode. the problem is that i have to give the password to the (sudo -S) command in clear text, which shows up in the logs, so not a good idea either.
several command combinations of export display, .Xauthority, xhost and anything i could find on stackoverflow, without much success.
so, what do i actually need?
a distro-independent, secure way of launching a GUI application as another (non-root, but "/home"-less system) user
an elegant way of asking the current user for the password of user "installer"
a solution that does not require the current user to enter the root password first, or install the application as root.
i'd be thankful for any thoughts on the matter.
[edit] to clarify, i do not rally want to install new programs into the established linux file structure. The whole setup is this:
I have a main program that will be installed by the root. this program can be extended by modules.
these modules will be installed into a custom folder (let's call it "/progmodules") which is owned by the "installer" user. the goal is to have authorized users to be able to install new modules, without giving them full root access.
any users who want to install new modules should be able to run the installer GUI app, enter the "installer" user password, and then have the files transferred.
How do I change the SVN password from command line?
It is the best way for me if it can be done from the command line.
There are multiple ways passwords are setup on Subversion. It depends upon the server you're using (svnserve, http, svn+ssh), and the way the administrator has set everything up.
Subversion doesn't contain a built in authentication method. Instead, it can use many different external authentication methods from the very simple to the extremely complex. Some will allow users to change their own passwords and even setup their own accounts. Others require a system administrator to do it. It all depends upon your particular setup.
On our site, we use Apache http to serve our Subversion repository (svn co http://server/src/repos). I've set it up to use our Windows Active Directory, so the user's username and password is their Windows' username and password. It means I don't have to handle users' I forgot my password requests, and passed the whole account headache to our Windows administrators.
Some sites use Apache http, but use a password file located on the Apache server itself. This is usually called htpasswd and its location is configured by the Subversion administrator. It's possible that the System administrator has a way to let the users set their own passwords, but that's not necessarily true. In this instance, you have to contact the administrator and ask them to change your password.
Some sites use svnserve (svn co svn://server/repos). The standard way this is setup is that there's a passwd file in the Subversion repository's config directory. This is located on the system that's running the server, and you have no access to it. Again, you have to contact the system administrator.
Some sites use SASL for their authentication. This can use Windows Active Directory, LDAP, or any number of authentication methods. Sometimes you can set your own password, sometimes you have to ask the administrator how it's done.
So, you're going to have to ask your Subversion administrator how to change your password. If you're lucky, there's a way to do it yourself. If not, you'll have to ask your Subversion administrator to change it.
You must edit a file under your /repo/conf/passwd using a command line editor like Vim.
There is no way to do this with Subversion command-line utilities like svnadmin.
If https is used, the password may be defined by Apache. This is what I needed to do to change password, in case it helps someone else:
# using root account
cd /etc/apache2
cat foo.passwd # the right user, foobar was found here
# copy the line for foobar, in case you want to restore it!
man htpasswd # a little refresher on what the command does
htpasswd foo.passwd foobar
# new password is prompted
cat foo.passwd # check that the line for this user actually got changed
Then do checkout with https to verify the right password got changed.
This is what I have to do:
cd /etc/httpd/conf/svn
backup current svn-auth just in case
cp svn-auth.htdigest svn-auth.htdigest«yymmDD»
htdigest svn-auth.htdigest “Subversion Repository” «user-name»
It was ask for new passwsord
htpasswd -m C:\csvn\data\conf\svn_auth_file admin
I recommend installing the Collabnet SubVersion Edge bundle, since it includes a Web tool for allowing users to change their passwords on their own.
really new to linux scripting so i figured i would ask rather than waste time pulling my hair out.
i have a simple script that backs up the contents of a folder on my linux box and moves it to S3 storage, i would like this script to create a zip file and password protect it without any intervention from me.
i got it down to
zip myarchive.zip /var/www/* -e
but cannot work out where i should put the password to stop it prompting me.
thanks
kris
Doing that is a security risk as it means your password will be written in cleartext in your script.
For this reason, zip refuses to work that way. It wants the input from the keyboard, not your script or a file.
I'm not aware of a workaround.
On the other hand, at least the zip in my Ubuntu distribution offers a -P password option which, I think, allows you to enter the password right on the command line. The documentation surrounds this option with the appropriate warnings.
You could also use the security features provided by the file system. This is indeed another story, but it does protect your information in most cases.
So I guess doing a chown and chmod on your archive after creating it will prevent unwanted users from accessing the file, if all you need is a file that can only be read by a certain group. The main advantage is that there's no need to memorize a password here.