I am writing a code script that will delete a user from the Linux CentOS7 box and also remove their sudo permissions.
This is what I have so far:
echo -n "Please enter the username you'd like to delete: "
read -r username
passwd --lock $username
userdel -r "$username"
sudo userdel -r "$username" >> /etc/sudoers.d/sugroup
I know I may need to move the last line above the last userdel -r line, I definitely know I need some help in making sure that the code is working properly. I have a test box I am running this on so if it blows up, I can recreate it.
it sould be enough to use sudo userdell -r "$username" , no additional command needed to remove a user and most of its files.
An alternative way to update sudoers content would be using visudo, since it protects against many failure modes.
hope this helps.
addition:
all files in /etc/sudoers.d/ should have mode 0440 ...
sudo chmod 440 /etc/sudoers.d/*
Related
I have a txt file called Usernames.txt with such information (name followed by group type). E.g. (These are the few instances as there are way more inputs.)
Usernames.txt:
ellipsiscoterie,visitor
magnetcommonest,visitor
belateddefensive,staff
wizardmeans,visitor
bobstercaramelize,staff
In the script show below, I attempted to add each line's name as a user and allocate each new user to its respective groups. However I have encountered this error. And the output is not what I had in mind. I hope someone can help me out, thanks.
Basically this is what I want to do but for every single lines in the txt file.
E.g. sudo useradd bobstercaramelize(which is the name of user) and sudo usermod -a -G staff bobstercaremelize.
Error:
createUsers.sh: line 4: $'[visitor\r': command not found
Code:
#!/bin/bash
while read line; do
arrIN=(${line//,/ })
if [${arrIN[1]} = "visitor" ]; then
sudo useradd ${arrIN[0]}
sudo usermod -a -G visitors ${arrIN[0]}
else
sudo useradd ${arrIN[0]}
sudo usermod -a -G staff ${arrIN[0]}
fi
done < Usernames.txt
First, the error seems to stem from a missing space: [${arrIN[1]} = "visitor" ] needs to be [ ${arrIN[1]} = "visitor" ]. Note the space between [ and ${arrIN[1]}.
Second, the \r in the error message indicates that there might be an issue with the line endings of your Usernames.txt file. Try to save it with Unix/Linux line endings (i.e. each line should be terminated by \n only).
Third, you might want to consider parsing the file's contents differently:
while IFS=, read user group; do
if [ "${group}" = "visitor" ]; then
sudo useradd "${user}"
sudo usermod -a -G visitors "${user}"
else
sudo useradd "${user}"
sudo usermod -a -G staff "${user}"
fi
done < Usernames.txt
This way, read does the splitting for you, making things easier, more precise and more readable. I also added double quotes where advisable.
I would like to execute the following command without interaction:
sudo grep -e "test" /etc/sudoers
I have tried the following method:
tester#compute:~$ echo 'clouduser' | sudo -S grep -e "test" /etc/sudoers
[sudo] password for tester: test ALL=(ALL) NOPASSWD: ALL
The problem is that I am getting the [sudo] password for tester: in front of the response.
How I can cut that part from the front of the answer?
Thanks!
I will answer to my question - maybe someone else will need it:
(echo 'clouduser' | sudo -Si >/dev/null 2>&1); sudo grep -e test /etc/sudoers
Add the following line to your /etc/sudoers file in order to turn on password-less sudo. In this case, I use john as the login account. Change to your own account id.
john ALL=(ALL:ALL) ALL
Alternatively, and perhaps better is to put that line into a file called /etc/sudoers.d/john.
I have the following code on cron job, it runs but the code does not really do what it supposed to. It does not create the directory plus is does not do anything in the code. Please help check if the way I pointed to the directory is wrong.
#!/bin/bash
NAMEDATE=`date +%F_%H-%M`_`whoami`
NAMEDATE2=`date `
mkdir ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE -m 0755
mysqldump -u u3811*****_boss -p"*******" u3811*****_data | gzip ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/db.sql.gz
echo "This is the database backup for website.com on $NAMEDATE2" |
mailx -a ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/db.sql.gz -s "website.com Database attached" -- mail#gmail.com
chmod -R 0644 ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/*
exit 0
Your NAMEDATE variable needs to be modified a bit, as shown below, for more information about variables in bash see this link
NAMEDATE=$(date +%F_%H-%M"_"$(whoami))
When you issue the mkdir command you will need to pass the -p option to create the complete directory structure if it doesn't exists.
mkdir -p ~/home/u3811numbers/domains/website.com/public_html/cron/backup/files/$NAMEDATE -m 0755
Also, the ~ character on Linux based distributions is used as a shortcut for the home directory of the user that invokes it so, in the line below the result is /home//home/u3811*****/domains/website.com/public_html/cron/backup/files/2020-09-04_23-13_ you can read more about it in here
In you last command before the exit, you might need to pass a wildcard (*) to avoid removing the executable bit on the directory, see below
chmod -R 0644 ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/
The final version of your script will look something like this.
#!/bin/bash
NAMEDATE=$(date +%F_%H-%M"_"$(whoami))
NAMEDATE2=date
mkdir -p ~/home/u3811******/domains/website.com/public_html/cron/backup/files/$NAMEDATE -m 0755
mysqldump -u u3811*****_boss -p"******" u3811*****_data | gzip > ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/db.sql.gz
echo "This is the database backup for website.com on $NAMEDATE2" | mailx -a ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/db.sql.gz -s "website.com Database attached" -- mail#gmail.com
chmod -R 0644 ~/home/u3811*****/domains/website.com/public_html/cron/backup/files/$NAMEDATE/*
To debug a bash script you can always pass the -x flag for more information take a look at this article
I am a technician managing 10 Mac Computers. I do not have and MDM to manage them. I manage them manually and one by one... I have some of my Mac Computers that even putting them non Administrator, their managed account comes back to be administrator.
I am at the point where I will write a script to prevent them from falling administrator.
This is my script :
PASSWORD=$(echo U2FsdGVkX1+6JWRG1T9hsA/DIOfb2OZdXBf9uVcYTxY= | openssl enc -aes-128-cbc -a -d -salt -pass pass:wtf)
echo $PASSWORD | sudo -u administrateur adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "administrateur" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
The encryption command works but my second command(line 2) can't take my variable $PASSWORD, I have this :
sudo: administrateur: command not found
The script get stuck at "administrateur" from line 2.
There are several problems with the line
echo $PASSWORD | sudo -u administrateur adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
First, $PASSWORD isn't in double-quotes, so several special characters might cause trouble. Actually, echo has its own problems with special characters, so printf '%s\n' "$PASSWORD" would be much more reliable.
Except that sudo doesn't accept passwords over standard input, so the pipe won't work anyway.
Also, you can't do a variable assignment in a sudo command. Well, you can, but it's useless because it would make a subprocess as the other user, set the variable in that subprocess... and then exit the subprocess so the variable vanishes along with it.
And the order of evaluation is all wrong. The shell expands the $( ) part before running any of the commands (and as the current user). So it expands to something like:
echo pwgoeshere | sudo -u administrateur adminUsers=root administrateur
... which will tell sudo to run the command administrateur with the variable adminUsers set to "root". Not what you want at all.
But there's good news: dscl can read the group membership from any user account, so you don't need sudo or any of that. Just use:
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
On the other hand, dseditgroup does need special access to change group membership. What user is this script running as? If it's already running as root, it'll just work. If not, you could use sudo (with the complications of passing the password to that), or much simpler pass the admin credentials as arguments, with the -u and `-P options:
dseditgroup -o edit -u administrateur -P "$PASSWORD" -d "$user" -t user admin
Two more suggestions: use lowercase variable names (e.g. password instead of PASSWORD) to avoid conflicts with the various the various all-caps names with special meanings, and run your scripts through shellcheck.net and correct the things it points out.
I have a script that needs to be ran as root. In this script I create directories and files. The files and directories cannot be modified by the user who ran the script (unless there root of course).
I have tried several solutions found here and other sites, first I tried to mkdir -m 777 the directories as so:
#!/bin/bash
...
#Check execution location
CDIR=$(pwd)
#File setup
DATE=$(date +"%m-%d_%H:%M:%S")
LFIL="$CDIR/android-tools/logcat/logcat_$DATE.txt"
BFIL="$CDIR/android-tools/backup/backup_$DATE"
mkdir -m 777 -p "$CDIR/android-tools/logcat/"
mkdir -m 777 -p "$CDIR/android-tools/backup/"
...
I have also tried touching every created file and directory with the $USER as root, like so:
#!/bin/bash
...
#Check execution location
CDIR=$(pwd)
#File setup
DATE=$(date +"%m-%d_%H:%M:%S")
LFIL="$CDIR/android-tools/logcat/logcat_$DATE.txt"
BFIL="$CDIR/android-tools/backup/backup_$DATE"
mkdir -p "$CDIR/android-tools/logcat/"
mkdir -p "$CDIR/android-tools/backup/"
sudo -u $USER touch "$CDIR/"
sudo -u $USER touch "$CDIR/android-tools/"
sudo -u $USER touch "$CDIR/android-tools/logcat/"
sudo -u $USER touch "$CDIR/android-tools/backup/"
sudo -u $USER touch "$CDIR/android-tools/logcat/logcat_*.txt"
sudo -u $USER touch "$CDIR/android-tools/logcat/Backup_*"
...
I have also tried manually running sudo chmod 777 /android-tools/*, and sudo chmod 777 /* from the script directory, gave no errors, but I still cannot delete the files without root permission.
Heres the full script, It's not done yet. Don't run it with an android device connected to your computer.
http://pastebin.com/F20rLJQ4
touch doesn't change ownership. I think you want chown.
If you're using sudo to run your script, $USER is root, but $SUDO_USER is the user who ran sudo, so you can use that.
If you're not using sudo, you can't trust $USER to be anything in particular. The caller can set it to anything (like "root cat /etc/shadow", which would make your above script do surprising things you didn't want it to do because you said $USER instead of "$USER").
If you're running this script using setuid, you need something safer, like id -u, to get the calling process's legitimate UID regardless of what arbitrary string happens to be in $USER.
If you cover both possibilities by making makestuff.sh like this:
# $SUDO_USER if set, otherwise the current user
caller="${SUDO_USER:-$(id -u)}"
mkdir -p foo/bar/baz
chown -R "$caller" foo
Then you can use it this way:
sudo chown root makestuff.sh
sudo chmod 755 makestuff.sh
# User runs it with sudo
sudo ./makestuff.sh
# User can remove the files
rm -r foo
Or this way (if you want to use setuid so regular users can run the script without having sudo access -- which you probably don't, because you're not being careful enough for that):
sudo chown root makestuff.sh
sudo chmod 4755 makestuff.sh # Danger! I told you not to do this.
# User runs it without sudo
./makestuff.sh
# User can remove the files
rm -r foo