LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-10-2013, 12:22 PM   #1
crimsonclay
LQ Newbie
 
Registered: Mar 2013
Posts: 6

Rep: Reputation: Disabled
help with script: all accounts must be set to expire and go inactive


I have been assigned a project at work where all accounts on approx 450 RHEL servers must be set to expire and go inactive. There will be exceptions on service accounts and so forth, but for the majority all need to be modified.

I can use the command below to set each account individually, but that will take forever.

chage -M 90 -W 14 -I 90 "username"

Here's what I would like to do.
  • Create a simple script to go through /etc/passwd and check to see which accounts meet the criteria
  • Generate a text file and place it in /tmp
  • Crearte another script to read that txt file and modify the user accounts in the text file

Those are just my thoughts. If anyone has any ideas, please let me know. I am definitely not a scripter so your input will be greatly appreciated.
 
Old 12-10-2013, 12:29 PM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 979
Blog Entries: 2

Rep: Reputation: 235Reputation: 235Reputation: 235
This should be done without using the intermediate temporary file.

Are all accounts to be processed in local /etc/passwd,/etc/shadow files?
 
Old 12-10-2013, 12:39 PM   #3
crimsonclay
LQ Newbie
 
Registered: Mar 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
yes, all accounts are processed in local /etc/passwd and /etc/shadow files.

I have to mention, I do not know yet what accounts can not be modified; that is, accounts for oracle and so forth.
 
Old 12-10-2013, 12:39 PM   #4
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
Do you want to invoke the same change to all users available in your /etc/passwd file? Or want to exclude some of them? Otherwise, for all users, you can do it with simple script like this:
Code:
~$ vi chagescript.sh
#!/bin/bash
awk -F":" '{print $1}' /etc/passwd > /tmp/users.txt
while read -r user
do
chage -M 90 -W 14 -I 90 $user
echo "Modification done for user $user".
done < /tmp/users.txt
Then make it executable, as:
Code:
~$ chmod +x chagescript.sh
 
Old 12-10-2013, 12:42 PM   #5
crimsonclay
LQ Newbie
 
Registered: Mar 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Some will have to be excluded. For example, oracle related accounts and mysql accounts. Those specific accounts have not been defined as of yet.
 
Old 12-10-2013, 12:48 PM   #6
crimsonclay
LQ Newbie
 
Registered: Mar 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Basically, i need to scan for any accounts in the /etc/shadow file that do not end in :15975:0:90:14:90::

A cursory glance of the /etc/shadow file seems to indicate that anything with a second field of * or !! are service accounts that should be excluded.
 
Old 12-10-2013, 11:02 PM   #7
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,800
Blog Entries: 4

Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Those specific accounts have not been defined as of yet.
To me, the only concern seems is to list out user accounts. However, exacctly define which account should be included and which should be excluded, then come back.
 
Old 12-11-2013, 12:14 AM   #8
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 80
Quote:
Originally Posted by crimsonclay View Post
Basically, i need to scan for any accounts in the /etc/shadow file that do not end in :15975:0:90:14:90::

A cursory glance of the /etc/shadow file seems to indicate that anything with a second field of * or !! are service accounts that should be excluded.

So you need to exclude all system accounts for those login shell as defined as /bin/nologin

Code:
for i in $(awk -F":" '/nologin/ {print $1}' /etc/passwd)
do
echo "$i"
done

OR

for i in $(awk -F":" '/*/||/!!/ {print $1}' /etc/shadow)  #could be more simply formatted
do
echo "$i"
done
above will do it simply.
 
Old 12-11-2013, 09:33 AM   #9
crimsonclay
LQ Newbie
 
Registered: Mar 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
So, the command to list out the accounts that will need modifying is below.

cat /etc/shadow | grep -v '0:90:14:90::' | grep -v '!:' | grep -v '*\:'

I can redirect the output to /tmp/chage. With that output, how can I proceed with a script to set the inactive and expire flags?
 
Old 12-11-2013, 11:36 AM   #10
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Quote:
Originally Posted by crimsonclay View Post
So, the command to list out the accounts that will need modifying is below.

cat /etc/shadow | grep -v '0:90:14:90::' | grep -v '!:' | grep -v '*\:'

I can redirect the output to /tmp/chage. With that output, how can I proceed with a script to set the inactive and expire flags?
Be careful when using * and ! (!!).

The passwd field can hold any character. *, ! and !! are often seen but it can also be empty or any other character!!

Also: rejecting lines with nologin is also not full-proof (check your passwd file).

If I assume the default way of encrypting passwords is used you could look for lines that have a $ as first character in field 2 and as an extra reject lines with 0:90:14:90::. Even then you might need to check if the results are all ok.

Have a look at this:
Code:
#!/bin/bash

while read THISUSER 
do
  # this would be exectued, its just echoed atm.
  echo "chage -M 90 -W 14 -I 90 $THISUSER"
done < <( awk -F: '$2 ~ /^\$./ { if ( $0 !~ "0:90:14:90::" ) print $1 }' /etc/shadow )
The above code won't change anything, it only echo's the command's that would be executed. Change echo "chage -M 90 -W 14 -I 90 $THISUSER" to chage -M 90 -W 14 -I 90 $THISUSER if this double and triple checked.

EDIT: Do make sure you have backups of the files concerned before starting this action!

Last edited by druuna; 12-11-2013 at 01:15 PM. Reason: Added extra warning
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Expire User Accounts On The Ubuntu Server LXer Syndicated Linux News 0 06-21-2010 10:10 PM
[SOLVED] Set user account expire date kirukan Linux - Newbie 4 03-18-2010 03:24 AM
LXer: Handling of inactive Debian Accounts LXer Syndicated Linux News 0 07-13-2007 10:01 PM
Request : set passwords for many users [user accounts exist] using a shell script bv_uma Linux - Software 3 08-19-2006 10:01 AM
do inactive accounts get deleted? Berhanie LQ Suggestions & Feedback 5 01-02-2005 11:12 PM


All times are GMT -5. The time now is 06:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration