User Manager Software
One of the most time-consuming tasks of every system administrator (Linux or not) is user account maintenance. Whether adding or removing accounts, or even occasional suspending or enabling, it is definitely something that can be done by a user other than root. Why spend time going through a stack of papers on your desk with one thousand user accounts to modify when the person who wrote the work orders in the first place could just as easily do it?
Now you may ask, “How are these people supposed to do this job? I am not giving out the root password!” Well, to get around the password problem, I have a quite simple response: use sudo (pronounced soo-doo). You can get this neat little gem from http://www.courtesan.com/sudo/. sudo allows a permitted user to execute a command as superuser (real and effective UID is set to 0, and GID is set to root's group ID as set in the password file). Using a utility like this, you can permit certain users to run certain programs, such as an adduser script or a chfn command. Although certain sanity checks must be in place, I have found sudo to be a viable solution to keeping the root password secure.
To get around the problem of letting others mess with user accounts, I created User Manager. Now I rarely spend time dealing with user accounts. User management is done by the technicians, the billing department and the salespeople. User Manager, primarily a Korn shell script, does it all. (The Korn shell can be obtained from ftp://ftp.cs.mun.ca/pub/pdksh/.)
The User Manager script is a framework for your system that can be customized to add in RADIUS support, multi-homing support and domain management. For example, one system I set up builds all DNS, web and stats package configurations and sets up the user account for a multi-home web customer. It was fairly simple to add this support to the script, and it provides a great learning base in system automation.
The User Manager tar archive file can be found at ftp://ftp.inetinc.net/pub/usrmgr/usrmgr.tgz. It includes the usrmgr Korn shell script, a C program and a simple Perl script, a README file, an INSTALL file and an ASCII welcome screen. The C program, newpass.c, helps with encrypting new user passwords and the Perl script, loginterp.pl, generates reports from information logged when User Manager is run.
In order to configure the User Manager software, you should know the locations of several common utilities on your system. Some of these include finger, sed, edquota, sort and mail. You can see the complete list in the sidebar “Programs and their Locations”. Make sure all of these are set correctly in usrmgr before running the script. If they are not, the script will not execute properly—steps may be left out.
Once you have the locations of the programs set up, you have some choices to make. Where do you want your log file to go? Where do you want the scripts to reside? Which administrator (or administrators) will be receiving e-mail messages noting the user's actions? Here are the answers I gave when I set up my system:
Log File -> /usr/local/adm/usrmgr.logfile
Scripts Reside in -> /usr/local/usrmgr
Administrators -> brw,matt,billing@inetinc.net
Note that the administrators can be local user names and/or full Internet e-mail addresses. For multiple entries, simply separate each address with a comma and no spaces.
The reports generated by User Manager's Perl script can be very helpful tools, not only for your system administration team but also for the billing and administrative personnel at your company. With sudo installed, the reports list the user name of each person who ran User Manager, instead of just logging everything as root. Listings 1 and 2 show the two different report formats available.
The simple log in Listing 1 is summary information aimed at system administrators. It lists the number of adds, suspends, enables and deletes performed by each user and can be used to track any unwanted or unauthorized users who might be abusing User Manager. If you set up your system to allow only administrators to access User Manager through sudo, you can easily track malicious activity by checking what root is doing. If the machine where I obtained the Listing 1 data was a production machine, I would be very wary of the one add done by root, and would check the detailed logs for more information.
Listing 2 shows a more detailed report that can be turned on or off by setting verbose to 0 or 1 in the loginterp.pl script. My personal recommendation is to leave it on so that you can send these reports to your billing and account managing crew. It is also helpful in investigating any malicious activities which may have shown up in the summary reports.
For example, one entry in the summary report detected root doing an add to a user's record:
Function Performed: User Added Done by: root Login: jhanish Password: ilovesouthpark UID: 1003 GID: 1003 Real Name: Joe Hanish Home: /home/jhanish Shell: /bin/tcsh Date: 07.29.1998
One might deduce that a possible security hole was exploited and now a new user, jhanish, has been added to the system. So, we take a look at the /etc/passwd entry to see what else may have happened.
jhanish:x:0:1003:Joe Hanish:/home/jhanish:/bin/tcshIn this case, after adding himself to the system, he then created a back door to access the system as root if he wished. Of course, a skilled hacker would not leave traces like this, but someone just playing around can easily be caught.
You may want to set a cron job to run loginterp.pl on a weekly or monthly basis to generate report files and send them automatically to administrators through e-mail. For example:
6 0 1 * * root /usr/local/bin/loginterp.pl | mail -s UserMGRLogs root,billing
User Manager was built as a basic shell for all your user managing functions. As a system administrator, I realize every system has a unique function, operating system and system administrator's style of managing. User Manager gives you a platform on which to create a customized software package to handle everything you do when managing users. This will give you time to do more interesting tasks without worrying about whether you missed a step in the process.
One other application for this script could be to add in web-hosting support. An ISP that hosts web sites could automate all the steps required to add customers to its systems. To do this, start with the User Manager framework and add in the other steps.
For example, one system I am familiar with is a small web-hosting company that has two main servers. The second server is really only a backup mail spooling system and a secondary DNS. Even though this is a simple example of added functionality in User Manager, the concept can be applied across an infinite number of servers and/or locations.
The User Manager software is on the main system. Once a web customer is added, the script goes out and builds the DNS record, rebuilds the /etc/named.boot file on the fly, passes the configuration to the secondary name server and rebuilds its /etc/named.boot file. After all the configurations are built, it reloads each name server's database.
Once all the DNS is complete, it then takes care of the /etc/sendmail.cw file (this step always caused me problems) and sends a HUP signal to sendmail to get it to recognize the changes. When that is done, it actually adds the user account. It then builds the httpd configuration on the fly as well as the stats package configuration.
User Manager is the solution to all your user-administration problems. With the added help of sudo and the report generation program, user management is no longer a worry. Due to the script's scalability and robustness, it can be ported to any system with ease. Even a BSD password database system can have User Manager running on it. Because it is written as a Korn script, it is not limited by any flavor of UNIX. It can be every system administrator's friend and might even cut your work week down dramatically, giving you some time for the things that truly matter in life.
Branden R. Williams is Vice President of I-Net Solutions, Inc. (http://www.inetinc.net/), where he consults with several other companies doing UNIX system and network administration, security management, and system performance tuning. When he is not in the office, he enjoys sailing, playing his acoustic guitar, and astronomy. He can be reached via email at brw@inetinc.net.