Loading ...
Sorry, an error occurred while loading the content.
 

I have a query with the command "useradd"

Expand Messages
  • Krishnan Gopalakrishnan
    Hi all, We all know that the command useradd can be used only the the user root to add any number of users. But then, when we look at the passwd command,
    Message 1 of 9 , Oct 1, 2005
      Hi all,

      We all know that the command "useradd" can be used only the the user "root"
      to add any number of users. But then, when we look at the "passwd" command,
      I am able to modify the root password as well as the user passwords (logged
      in as 'root' user) and I can change the password for specific user (logging
      in as 'specific' user).

      Now when I see the passwd file in /usr/bin/passwd, I see the following
      permissions:

      -r-s--x--x 1 root root 19336 Sep 7 2004 passwd

      I see that the file permissions - "Set user id" has been used which is
      denominated as "s". And hence any user can change their respective password.

      Now, if I change the permission for /usr/sbin/useradd (when I do a set user
      id to /usr/sbin/useradd file):

      -rwxr-xr-x 1 root root 57532 Nov 24 2004 useradd

      to

      -rwsr-xr-x 1 root root 57532 Nov 24 2004 useradd

      Will any user be able to add the users logged in as any 'specific' user?

      This did not work!! Any idea - what all files/attributes needs changes?
      Please let me know.

      Best regards,

      Krishnan


      ++++++++++++++++++++++++++++++++
      Krishnan Gopalakrishnan
      krishnan.gopalakrishnan@...
      Systems Management & Quality Assurance
      IPsoft, Inc.
      Bangalore


      [Non-text portions of this message have been removed]
    • Godwin Stewart
      ... Hash: SHA1 On Sat, 1 Oct 2005 23:34:09 +0530, Krishnan Gopalakrishnan ... Sorry folks, I saw the massive crosspost a second too late... - -- G. Stewart -
      Message 2 of 9 , Oct 1, 2005
        -----BEGIN PGP SIGNED MESSAGE-----
        Hash: SHA1

        On Sat, 1 Oct 2005 23:34:09 +0530, Krishnan Gopalakrishnan
        <krishnan.gopalakrishnan@...> wrote:

        > { massively crossposted message }

        Sorry folks, I saw the massive crosspost a second too late...

        - --
        G. Stewart - gstewart@...

        If at first you don't succeed, redefine success.
        -----BEGIN PGP SIGNATURE-----
        Version: GnuPG v1.4.1 (GNU/Linux)

        iD8DBQFDPtUxK5oiGLo9AcYRArBWAKC8C6CAe4EaGtKs9H2sYhX7b7oKXACeI5Kc
        ED/es4zk9Ht5QmNF8OJ7Zu0=
        =CDFw
        -----END PGP SIGNATURE-----
      • ed
        On Sat, 1 Oct 2005 23:34:09 +0530 ... Don t cross post. Look at the write access for /etc/passwd. -- Regards, Ed http://www.usenix.org.uk
        Message 3 of 9 , Oct 1, 2005
          On Sat, 1 Oct 2005 23:34:09 +0530
          Krishnan Gopalakrishnan <krishnan.gopalakrishnan@...> wrote:

          > This did not work!! Any idea - what all files/attributes needs
          > changes? Please let me know.

          Don't cross post. Look at the write access for /etc/passwd.

          --
          Regards, Ed http://www.usenix.org.uk
        • Krishnan Gopalakrishnan
          Krishnan, please _don t_ top post either! Replies belong _below_ the (trimmed!) quoted material. - Moderator ... Thanks, Ed. I did the following too: Changed
          Message 4 of 9 , Oct 1, 2005
            Krishnan, please _don't_ top post either!
            Replies belong _below_ the (trimmed!) quoted material.
            - Moderator

            On 10/2/05, ed <ed@...> wrote:
            > Krishnan Gopalakrishnan <krishnan.gopalakrishnan@...> wrote:
            > > This did not work!! Any idea - what all files/attributes needs
            > > changes? Please let me know.
            >
            > Don't cross post. Look at the write access for /etc/passwd.

            Thanks, Ed. I did the following too:

            Changed the 'specific' user's gid = 0 in the /etc/passwd file, and tried
            again. Did not work though!

            I suspect some other file's access needs "set user id" access. Can youi help
            me out with this?

            Best regards,

            Krishnan

            --
            ++++++++++++++++++++++++++++++++
            Krishnan Gopalakrishnan
            krishnan.goplakrishnan@...
            Systems Management & Quality Assurance
            IPsoft, Inc.
            Bangalore
          • Krishnan Gopalakrishnan
            Hi Stewart, Sorry, I did not get what you are trying to say! Cross post?? -- Krishnan [ Krishnan, Godwin s personal name is his first one, Godwin . A cross
            Message 5 of 9 , Oct 1, 2005
              Hi Stewart,

              Sorry, I did not get what you are trying to say! Cross post??

              -- Krishnan

              [ Krishnan, Godwin's personal name is his first one, "Godwin".

              A cross post is a post to more than _one_ mailing list or newsgroup.
              Different groups have different etiquette and different subject matter.
              More importantly, if some helpful person replies their reply will
              generally go to all the groups. Every list to which of person
              is _not_ a member will send them a rejection message!
              Always choose _one_ group to ask in, and ask only there.

              Secondly, I'll repeat my request to not top post.
              Conversations read from top to bottom, and therefore reply text
              belong _below_ the quoted previous text. And the previous text should
              be trimmed to _just_ the small relevant part to make things easy to
              read.

              Now, Godwin will probably flame you for all this because it is all
              spelt out very clearly in the Etiquette that was sent to you when you
              joined the group. Please read it and adhere to it - it makes
              everything easier for everyone.
              - Cameron Simpson, a moderator
              ]
            • Thomas J. Hruska
              ... Hypocrite. :P (Of course, you are the moderator and can do as you please...but it is humorous in a geeky sort of way that you top-posted about not
              Message 6 of 9 , Oct 1, 2005
                Krishnan Gopalakrishnan wrote:
                > Krishnan, please _don't_ top post either!
                > Replies belong _below_ the (trimmed!) quoted material.
                > - Moderator
                >
                > On 10/2/05, ed <ed@...> wrote:
                >
                >>Krishnan Gopalakrishnan <krishnan.gopalakrishnan@...> wrote:

                Hypocrite. :P

                (Of course, you are the moderator and can do as you please...but it is
                humorous in a geeky sort of way that you top-posted about not top-posting)

                --
                Thomas Hruska
                Shining Light Productions

                Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
                http://www.slproweb.com/

                Ask me about discounts on any Shining Light Productions product!
              • Cameron Simpson
                ... [...] ... That s a moderator , thenkyew! I assert that my statement was not a reply to him, and wasn t a top post because it wasn t on top of the relevant
                Message 7 of 9 , Oct 2, 2005
                  On 02Oct2005 02:04, Thomas J. Hruska <shinelight@...> wrote:
                  | Krishnan Gopalakrishnan wrote:
                  | > Krishnan, please _don't_ top post either!
                  | > Replies belong _below_ the (trimmed!) quoted material.
                  | > - Moderator
                  [...]
                  | > On 10/2/05, ed <ed@...> wrote:
                  | >>Krishnan Gopalakrishnan <krishnan.gopalakrishnan@...> wrote:
                  |
                  | Hypocrite. :P
                  | (Of course, you are the moderator and can do as you please...but it is
                  | humorous in a geeky sort of way that you top-posted about not top-posting)

                  That's "a moderator", thenkyew!

                  I assert that my statement was not a reply to him, and wasn't a top post
                  because it wasn't on top of the relevant text, since it wasn't there any more
                  because I'd reformatted it as a bottom post:-)
                  But yes, exactly the point you raise does bother me. Consider me chastened.

                  Cheers,
                  --
                  Cameron Simpson <cs@...> DoD#743
                  http://www.cskk.ezoshosting.com/cs/

                  Stepwise Refinement n. A sequence of kludges K, neither distinct or finite,
                  applied to a program P aimed at transforming it into the target program Q.
                • ed
                  On Sun, 2 Oct 2005 11:09:36 +0530 ... Weird, it works here: ed@workstation:~$ sudo chmod 4755 /usr/sbin/useradd ed@workstation:~$ /usr/sbin/useradd usage:
                  Message 8 of 9 , Oct 2, 2005
                    On Sun, 2 Oct 2005 11:09:36 +0530
                    Krishnan Gopalakrishnan <krishnan.gopalakrishnan@...> wrote:

                    > Changed the 'specific' user's gid = 0 in the /etc/passwd file, and
                    > tried again. Did not work though!

                    Weird, it works here:

                    ed@workstation:~$ sudo chmod 4755 /usr/sbin/useradd
                    ed@workstation:~$ /usr/sbin/useradd
                    usage: useradd [-u uid [-o]] [-g group] [-G group,...]
                    [-d home] [-s shell] [-c comment] [-m [-k template]]
                    [-f inactive] [-e expire ] [-p passwd] name
                    useradd -D [-g group] [-b base] [-s shell]
                    [-f inactive] [-e expire ]
                    ed@workstation:~$ /usr/sbin/useradd -s /bin/false bob
                    ed@workstation:~$ cat /etc/passwd | grep bob
                    bob:x:1004:100::/home/bob:/bin/false
                    ed@workstation:~$ ls -al /etc/passwd
                    -rw-r--r-- 1 root root 1434 Oct 2 09:12 /etc/passwd
                    ed@workstation:~$ ls -al /etc/shadow
                    -rw-r----- 1 root shadow 974 Oct 2 09:12 /etc/shadow
                    ed@workstation:~$ ls -al /etc/group
                    -rw-r--r-- 1 root root 645 Jun 24 21:49 /etc/group

                    Now anyone who haxx0rs my boxen can run useradd and give themselves a
                    shell and have themselves a mail relay/irc spam station because anyone
                    in the 'other' permission entity can add users.

                    > I suspect some other file's access needs "set user id" access. Can
                    > youi help me out with this?

                    I suggest you look into sudo, you can set sudo to run specific programs
                    without requiring a password, that's all in the man page.

                    The sticky bit is being phased out in favour of sudo, and it's generally
                    frowned upon these days by some communities. There is also the advantage
                    that every time sudo runs (by default) there is an entry in
                    /var/log/auth.

                    --
                    Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
                    ~
                    ~
                    :wq
                  • Citpl blr
                    hi u can use sudo for that u can assign any rights using sudo to any particular user for 5 mints [ Citpl, please DO NOT top-post! Replies belong _below_ the
                    Message 9 of 9 , Oct 4, 2005
                      hi u can use sudo for that

                      u can assign any rights using sudo to any particular user for 5 mints

                      [ Citpl, please DO NOT top-post!
                      Replies belong _below_ the quoted text, and the quoted text
                      should be _trimmed_ to just the relevant piece.
                      Making this _small_ effort will make things easier for everyone else.
                      It would also be nice if you used English. "u" is _not_ a word;
                      we are not typing coarse abbreviations on mobile phones here.
                      - Moderator
                      ]
                    Your message has been successfully submitted and would be delivered to recipients shortly.