| Now that we've looked at some of the different tools that are available for administering the user base, let's create a script that will take us a step further by automating some of the creation steps. This is a common requirement for many companies, because not only does it ease the task of user creation, it also allows us to enforce a set of standards, such as setting a default password, forcing a specific environment or login name, and so forth. The one shown here, for example, performs the following functions: Sets the user's initial password to the company default Sets the password time-out values Forces users to change their passwords at first login Implements quotas for the user
It's worthwhile making a few points before we look at the script. Firstly, we've tried to use the supplied tools whenever possible, rather than rely on manually editing the files. This provides us with the "safety buffer" we talked about earlier (backup copies of files, UID checking, etc.). That said, the only way we can enter a password using a shell script is to manually edit the files, which we've done using sed to insert an already encrypted password. If you need to perform something different, such as generate a different password for each user, then you'll need to use programs such as C or Perl to do this. Lastly, near the end of the script, there is room for adding any company-specific settings that you need to apply, such as updating user profiles and so forth. We've used this section to initialize the user's quotas by copying them from an existing user: hydrogen# cat createUser #!/bin/ksh # # A script to create users in a "company format." # This uses a default, encrypted passwd that has been # obtained by pulling a known password from the shadow # file. The users are forced to alter it as first login. # It assumes the group already exists and is valid. # # # set our company defaults # home=/export/home shell=/bin/ksh skel=/etc/skel password=hViVZtexneY8Y # default encrypted password (changeme) warnDays=5 validDays=60 tmpPasswd=/tmp/passwd.$$ quotaAccount=testuser # # check we have the correct number of params # if [ $# -ne 3 ]; then echo "Usage: ${0} <login name> <gid> <comment>" exit 1 fi # # grab the user info # user=$1 gid=$2 comment=$3 # # check the group is valid # egrep -s "${gid}" /etc/group if [ $? -ne 0 ]; then echo "Please enter a valid gid and re-run" exit 1 fi # # add the user to the passwd file # useradd -c "${comment}" -d ${home}/${user} -g ${gid} -m -k ${skel} -s ${shell} ${user} # # insert the password to the password file # (see below why the passwd and not the shadow file) # sed -e "s/^${user}:x:/${user}:${password}:/" /etc/passwd > ${tmpPasswd} if [ -s ${tmpPasswd} ]; then mv ${tmpPasswd} /etc/passwd if [ $? -ne 0 ]; then echo "Error: Cannot copy new password file" exit 1 fi fi # # we are setting warning and expiration dates, so # shadow needs to know when the password was updated # let pwconv handle this for us # pwconv # # set the password timeouts # passwd -f -w ${warnDays} -x ${validDays} ${user} # # update the account with any "standard" settings # edquota -p ${quotaAccount} ${user} exit 0 hydrogen# So now that we've got the script, how do we run it? This is actually very simple: The script checks for three arguments being passed inthe login name, the GID, and a comment for the "gecos" field. To run it for one of our example users, say John Green, we would enter the following command: hydrogen# createUser jgreen 10 "John Green" 6 blocks hydrogen# |
