It is currently Sun, 18 Nov 2018 03:09:44 GMT



 
Author Message
 User chsh shell change function needed for Solaris
We are slowly moving from SunOS 4 on antiques to Solaris 8 on our
login servers.  One of the things we need to continue is the ability
for users to change their own login shell in /etc/passwd.  For a
variety of reasons, we are using files validation, not nis/nis+/ldap.
passwd -e can't be run by a user with files validation.  I've spent a
few hours looking at man pages, and don't see an alternative solution.
Looking at sudo, it appears (unless I missed something on the man
page) that there isn't a way to restrict the commands available, and
anyway, putting several thousand users into an sudoers file just so
that they can do this doesn't set very well with us.

Are we missing something here?  Or are we really on our own to devise
something?

The one thing that's been discussed is writing a setuid wrapper
program that does a seteuid and an exec call to passwd -e.  That seems
less risky than trying to write a setuid program that edits the
/etc/passwd file directly.  I don't like setuid programs in the first
place, even simple ones.  

Before I get out my C-coding pencil, I'll ask if that's the route we
have to take?  

Hank



 Fri, 04 Feb 2005 05:48:10 GMT   
 User chsh shell change function needed for Solaris
hvanc...@nyx10.nyx.net (Henry van Cleef) wrote in
news:966548902.396669@irys.nyx.net:

Welcome to the Bronze age!

Correct.  Users editing the password file is a bad security risk.

You can restrict what commands the sudo users run but that open up another
kettle of worms, part of which you realize with managing sudo users.

Don't have them hork with the passwd file at all.  edit the startup script
for each user so that is spawns or execs the correct shell with the correct
options so that it doesn't start an infinite spawning loop in running the
startup script.  That way the users can manage their own shell but the
control is at user level and doesn't require ANY root privilege.

You can create a wrapper script that edits their startup script and let them
run that wrapper, but not as root.

suid scripts are a bad idea unless their is absolutely no way around it.

--
-- Rob Prowel (A.K.A. da wiseguy)
URL:  http://www.prowel.com/

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----



 Fri, 04 Feb 2005 05:58:31 GMT   
 User chsh shell change function needed for Solaris
There are some chsh solutions for Solaris.  Go to google and search the web
and groups for
chsh solaris
you will find some stuff.

"Henry van Cleef" <hvanc...@nyx10.nyx.net> wrote in message
news:966548902.396669@irys.nyx.net...



 Fri, 04 Feb 2005 06:17:04 GMT   
 User chsh shell change function needed for Solaris
In article <ajp6cd$7...@news.iastate.edu>,
What I found when I tried it the other day were pages and pages of:

1. University systems instructions for students for changing shells.
No explanation of what mechanism any of them were using.

2. Usenet history going back years and years of people asking questions
about the lack of chsh in Solaris, without getting any answers other
that "no, it isn't there."

Hank



 Fri, 04 Feb 2005 07:42:02 GMT   
 User chsh shell change function needed for Solaris

"Henry van Cleef" <hvanc...@nyx10.nyx.net> wrote in message
news:966548902.396669@irys.nyx.net...

Maybe I am looking at this all wrong.  They want you to write a program to
save them typing three letters?  i.e. csh/ksh/sh  Almost forgot, bash .
That is probably the one that is upsetting them.  They are going to have to
type at least one character, no matter what solution you come up with, to
select the shell they want.  Even if you make a utility for them, it will
have to be at least a one character name or alias to start the script, and
one to select the answer.

No sympathy here.  I have this strange vision in my head of them all
spending the last fif{*filter*} minutes of their ride to work trying to decide
what shell to use that day.

Just wondering, they do know they can put #! inside their scripts so the
scripts run on the same shell every time?

It just seems like there is something I am missing here.  Is there something
about the applications that make them not work right if you login with the
wrong shell?  I would put the wrapper around the start script for the
application if that is the case.

Good Luck to you.  .



 Fri, 04 Feb 2005 08:05:01 GMT   
 User chsh shell change function needed for Solaris
In article <Xns926EA450B415Dnooneall...@128.242.171.114>,
Using the passwd command to edit the password file is a bad security
risk?  How so?  We already expect them to use passwd to change their
passwords in the /etc/shadow file.  And I'm not aware that moving the
encrypted password out of the password file is tied to using passwd to
edit it.  
Not sure what you are trying to tell me here.  The user-specific
"startup scripts" are .profile or .login in their home directory.
Exec'ing a new shell doesn't run the shell-specific startups, which
differ between shells, and which need to be run----and rerunning the
script with the new shell will exec the new shell again.  

Nobody is considering suid scripts.  

It seems to me that the preferred method for changing the shell on a
per-user basis is to change it in the /etc/passwd file.  That allows
login to exec the shell the user wants, set up the environment
appropriately, etc.  

If nothing else develops, I'll write the suid/seteuid wrapper C
program to call passwd.  Please note that I am talking about a
compiled program, not a script, here.  

Hank



 Fri, 04 Feb 2005 08:10:20 GMT   
 User chsh shell change function needed for Solaris

I think it's fairly reasonable to go to some lengths to make the lives
of several thousand users easier.  You seem to be suggesting that they
should all type the shell they want after logging in, which I'd find
*completely* unacceptable as a user.  I probably start 10-100
interactive shells a day, and I *really* don't want to have to type
some stupid thing at each of those.

Even if you can get the shell they want correct at user-creation time
- which given thousands of users and therefore, almost certainly,
batch creation of users, is going to be quite hard in any case - if a
user wants to change shell every 2 years, and you have 3000 users, you
are looking at 2-3 shells being changed a day.  If that's done by
mailing the administrators to ask for it this is a significant pain.

No, what you want is for users to have a simple way of changing their
preferred login shell once and for all which doesn't involve
administrators having to do it for them.  This is something Unix has
had for ever (well, probably since early BSD, anyway), and it should
just work.  Linux has it, why should not Solaris also?  If it's hard
to do it securely, then that's a problem which should be solved, and
not punted on by screwing thousands of users.

--tim



 Fri, 04 Feb 2005 08:41:18 GMT   
 User chsh shell change function needed for Solaris
In article <bDW79.51998$EJ4.1647...@news4.srv.hcvlny.cv.net>,
Well, I would certainly say so.  We create all new user accounts with
a menu setup.  Under the current setup they have an option to escape
to csh from the menu.  And from csh, they can run chsh to define any
of several shells as their preferred startup default.

I am not going to go into lengthy rationales for providing the
capability to permanently change the login shell beyond the above,
other than to say that if we don't provide it, there are going to be
enough unhappy campers that we'd better either provide it---or assign
some admin to making those changes for users.  And all of us who are
doing admin tasks are volunteers.  We aren't on call 24/7, don't wear
pagers, and have plenty to do without signing up to do busy work.  

Hank



 Fri, 04 Feb 2005 08:45:00 GMT   
 User chsh shell change function needed for Solaris

Amen to that. I've had five or six requests from people to change their
login shells on a general-access Solaris box. I don't know how many my
co-workers have received. Writing a chsh that essentially calls
passwd -e (with the *uid thingies set to root) is on the list of things
to do, but I haven't had time.

The other option that users have is to modify their .profile or .login
to load the relevant shell, but realistically, most of them wouldn't
know how to do it, and it's far too easy to stuff things up completely.
I'd rather give them a chsh equivalent and be done with it.

Henry, if/when you get around to it, would you mind dropping me a copy
of the source? We can definitely use it here.

--
I'm waiting for tech support to call me back. I'm also waiting for the
second coming of Jesus. Wanna take bets on which happens first?



 Fri, 04 Feb 2005 09:09:41 GMT   
 User chsh shell change function needed for Solaris
[SNIP]
Someone wrote earlier that it is in Linux...  Use the source, Luke...

It's probably not trivial to port to Solaris, but it should be doable.

        Cheers,
                Gary    B-)



 Fri, 04 Feb 2005 09:16:06 GMT   
 User chsh shell change function needed for Solaris
hvanc...@nyx10.nyx.net (Henry van Cleef) wrote in
news:966557432.336364@irys.nyx.net:

my mistake.  I thought that you suggested it.

suit yourself

--
-- Rob Prowel (A.K.A. da wiseguy)
URL:  http://www.prowel.com/

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----



 Fri, 04 Feb 2005 13:58:30 GMT   
 User chsh shell change function needed for Solaris

"Henry van Cleef" <hvanc...@nyx10.nyx.net> wrote

Search again...
google groups gives an FTP site on the first page...
ok, here it is (use at your own risk)
ftp://rohan.sdsu.edu/pub/unix/chfn.tar



 Fri, 04 Feb 2005 21:06:34 GMT   
 User chsh shell change function needed for Solaris

Check out
http://www.utexas.edu/cc/unix/software/npasswd/

===

NAME
      npasswd - change login password, shell or finger information

SYNOPSIS
      npasswd [ platform options ] [ -X options ] [ username ]
      chfn [ platform options ] [ -X options ] [ username ]
      chsh [ platform options ] [ -X options ] [ username ]

DESCRIPTION
      Npasswd changes the login password, login  shell  or  finger
      information  for  a  user.   It is designed to supplement or
      replace the standard password change programs  passwd,  chfn
      and chsh.



 Sat, 05 Feb 2005 04:52:24 GMT   
 User chsh shell change function needed for Solaris

"Henry van Cleef" <hvanc...@nyx10.nyx.net> wrote in message
news:966548902.396669@irys.nyx.net...



 Sat, 05 Feb 2005 06:08:36 GMT   
 User chsh shell change function needed for Solaris
news:bDW79.51998$EJ4.1647294@news4.srv.hcvlny.cv.net...

Actually, while I haven't the need for it, I do see a reason.  If they have
to type csh/ksh/sh/bash at the prompt of via .profile/.cshrc/etc., then they
are not working at the root shell level.  When they want to logout, they
would have to exit shell the spawned and then logout.  That makes a one step
process into a two step process.  Additionally, they would lose the ability
of using login to change their user id.  I often rsh to another machine, and
when I need to go to another user on said machine, I just type login rather
than doing another rsh.

Many users prefer what they are used to and don't want to have to think
about it.  It is not unreasonable to allow them to change their shells.

Brad



 Sat, 05 Feb 2005 10:10:58 GMT   
 
   [ 25 post ]  Go to page: [1] [2]

Similar Threads

1. Where can I get a chsh (change shell) or chfn (change finger)

2. Change Shell (chsh) under Solaris2

3. changing shell without using chsh?

4. need chsh binary for i386-solaris-5.7

5. Korn shell help needed (keeping a changed file changed)

6. passwd, chsh, chpass, chfn, chsh problem

7. Terminating Parent/Child User Written Korn Shell Functions???

8. chfn, chsh put changed copy only in /tmp/passwd

9. I chsh to non-existing shell as root, can't login![Linux]

10. Need HELP with functions in SH shell programming!


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software