Is This An Error?

Linux_Kidd · 05-07-2012, 10:15 AM

i am going over some scripts someone else did. am i correct, it should be "<=500" and not ">=500" ??

Code:

Make sure system accounts cannot be accessed by using the following script:

#!/bin/bash
for user in ` awk -F: ' ($3 >= 500) {print $1 }' /etc/passwd; do 
     if [ $user != "root" ]
     then
          /usr/bin/usermod -L $user
          if [ $user != "sync" && $user != "shutdown" && $user != "halt" ] 
          then
               /usr/sbin/usermod -s /sbin/nologin $user 
          fi
     fi 
done

TobiSGD · 05-07-2012, 11:18 AM

As I understand it the statements filters out all users with an UID below 500, which usually are system users. Most distributions nowadays use even only the numbers from 1000 upwards for non-system users.

Linux_Kidd · 05-07-2012, 12:05 PM

Quote:

Originally Posted by TobiSGD

As I understand it the statements filters out all users with an UID below 500, which usually are system users. Most distributions nowadays use even only the numbers from 1000 upwards for non-system users.

in awk, ($3 >= 500) says $3 less than 500 ???

millgates · 05-07-2012, 12:18 PM

Quote:

Originally Posted by Linux_Kidd

in awk, ($3 >= 500) says $3 less than 500 ???

No. Please read the TobiSGD's post more carefully. The script prints all users with UID greater than or equal to 500. that means that it filters out (that is, does not print users with UID below 500).

TobiSGD · 05-07-2012, 12:18 PM

No, it says to only print the th users with an UID >=500, which is effectively filtering out anything below 500.

Linux_Kidd · 05-07-2012, 12:42 PM

i know what the awk does, was asking in the context of the script. so in the title of the script it's wrong then. as is it will lock all accounts >=500

TobiSGD · 05-07-2012, 01:18 PM

OK, I have not really looked at that part, since you emphasized the conditional statement. No, it will not really lock the accounts, but do something similar: It disables the passwords for those users and set their login shells to /sbin/nologin.
This may not be what is intended (in this case most likely), but it is dependent on the context. This will for example enable password-less access to a FTP server for all users without letting them connect via SSH or log in locally.

sundialsvcs · 05-07-2012, 02:34 PM

Let's take a closer look at this particular "magic voodoo incantation":

Code:

` awk -F: ' ($3 >= 500) {print $1 }' /etc/passwd`

Notice first of all the back-tick character. This means that the shell is to execute the enclosed command, then do something with every line that this command generates. [i](Note that I added one tick. And if you live in the deep South in the US where ticks are a curse this time of year, I apologize in advance.

)

So, why don't you start by excising that particular line of text out of the script and type it in directly on the command-line. If you hold your mouth in just the right position on a night precisely the right phase of the moon, at a crossroads after turning widdershins thrice, (which is why I hate this sort of magick...) you will see that this command tells awk to read /etc/passwd and to execute its own "tiny little program" against it: a "tiny little program" that, for every line in the aforesaid file in which the third blank-delimited token (taken as an integer) is greater than or equal to 500, will print out the content of the first token (for consumption by our shell script).

The line is therefore probably correct.

The trouble, for you and for anyone else, is that this kind of coding is very obtuse: when coded in exactly the right way and run under exactly the right conditions, it "works, sort of."

Linux_Kidd · 05-07-2012, 03:00 PM

Quote:

Originally Posted by sundialsvcs

Let's take a closer look at this particular "magic voodoo incantation":

...
The line is therefore probably correct.

1. ok, i didnt write the code, just reviewing it.
2. i dont think it is correct.

the title of the script is
"Make sure system accounts cannot be accessed by using the following script:"
which i belive is UID <=500 and not >=500 (rhel 5.x)

thats what i am asking......

Linux_Kidd · 05-09-2012, 05:26 AM

bump,
any answers on my post #9 ??

millgates · 05-09-2012, 05:41 AM

Probably the intention of the author was to print entries with "$3 < 500", because otherwise {,s}he would not check whether or not the $user is 'root' in the next line since this would have been filtered out by awk. So it probably is an error.

AnanthaP · 05-15-2012, 01:52 PM

What about post #2? Is the limit <= 1000 for system files?

In this URL, (ClearOS - listed in DistroWatch)
http://www.clearfoundation.com/docs/..._gids_and_rids
UID/GID RID Purpose Examples
System Users 0-499 n/a System user accounts root, apache, mysql
System Groups 0-499 n/a System group accounts lp
Normal Users 500-999 n/a User accounts outside of LDAP devel

OK

TobiSGD · 05-15-2012, 02:00 PM

There is actually no guideline for the limit between system users and normal users. It is totally dependent on the distro developers mind. For example, Fedora has used a limit of 500 for a long time and recently switched to 1000.