A couple questions guys,

I made a shell script called suspend.sh

The script is something simple for me to pass through to a server to kill a user and his pid's and then change the password of the user so he can't login untill he pays his bill and the I will work on the unsuspend.sh . Some of my game server clients don't take emails too well and I figure a quick suspend on their game servers and lock them out of their files will give them a quick message to pay up.

Anyways, I figure to kill anything he has running i would do this command:

pkill -u ${USER} - The user will be defined before this line
passwd ${USER} - What's next for imput?


I am not sure how to change the password of the user in a script.
But I have no clue where to take it from there. I want to change the user's password to "STSTSTSTST" for instance. What would be the next lines? I would appreciate any help.

Perhaps a better solution would be to use usermod to disable the account. For example: If you still want to change the password this could be done with usermod, but would involve some programming. Right now I can't think of a way to use passwd since it is an interactive command. That doesn't mean it can't be done.

Bill

Thanks for the answer. I did "man usermod" and I see that the command you presented, does make the account inactive at a certain date. this is good.

Here comes my next question... Now customer see his files are no longer available. Now the little light bulb shines and says, "Well I guess I better pay". Now he pays. The "man usermod" doesn't show how to reverse the inactivity.

Ah yes, you have to like the unwritten features. To remove an expiration date you would replace the date with "". Here's an example: I thought of another idea for you after looking at the page. You could use the -L option to lock the account and -U to unlock it when you want to return access. Just another option...

Bill

Wow I am amazed. Thanks for your help. I may need some morw help, after tomorrow i should have the suspend and unsuspend feature working ok, maybe I move on to the next step.

Thanks for the help man. Pretty kind of you.

All jokes aside, most people here are to help people or hackers helping hackers....cause I read a few distrubing forum threads and said to myself, "WTF"... doesn't matter to me either way. Thanks for the help thou.

Ok ...

Now I present my next question. I know, through an ssh start script (with a no nentry comment up at top),, the user can change his own passowrd, if ssh access is not allowed at the command line.

Now My script would create the user and transfer the game over to the user's account. How does the script, simple shell, pipe the password after it creates the user and changes ownershipship of the user. Can you give me a demonstration? Or maybe a link?

Thanks in advance.

Ok I figured out the password entry.
The user .bash_profile .
Is there a way to remove the write permissions to this file? I have tried with me and a buddie and no matter what he can rewrite it if he wants to.

The only way to do that is remove their ability to write in that directory and ownership of the file, otherwise they will be allowed to override. This probably isn't a good idea since ideally each user should own and be able to write in their home directory.

What might be a better option is to setup a Restricted Shell for these users. The restricted shell puts the user into an environment where the ability to move around and write is very limited. To put someone in this mode you add the -r option onto the login shell in /etc/passwd. For example: You might also have a /bin/rbash shell on your system to do the same thing. The system administrator will have complete control over what these users are allowed to do. It will take a little work to set this up. One way to do it is set up a directory with commands they are allowed to run and add that to their path. Another way is to build a command menu with what they are allowed to execute and if they escape they exit the shell.

Updated 16-DEC-04:After a little more research I found that /bin/bash -r does not work correctly inside /etc/passwd. If you want to put someone into a restricted shell at login you must create a rbash symbolic link to /bin/bash in /bin. You then set the shell to /bin/rbash in /etc/passwd. For completeness /bin/rbash should also be added to the list of shells in file /etc/shells.

Lastly, if you don't already have one, I would recommend getting a book on shell programming. Out of the books in my library I use this the most. In my opinion O'Reilly & Associates, Inc. puts out the best books on shell programming. You can find them on their Linux/Unix page. "Learning the bash Shell", "Learning the Korn Shell", "Using csh & tcsh" are all well written.

Bill

Thanks Bill,

Ok we did the following.

1- Made a user at home called "jhjhg34hg" for example.
2- Then we made that user owner of the .bash_profile.

My friend was logged in at the time but was still able to change what he wanted to the .bash_profile . Finnny, when he made the changes, the .bash_profile went back to him as the owner and the gruop.

I think this is attributed to him being logeed in as that user before I changed ownership and group of his .bash_profile.

We will try again tonight without him being logged in.

Thanks so much man.

Hey bill

Learned some new stuff today with that usermod command

USER=johnny

usermod -s /bin/false johnny - locks his ssh account
/usr/sbin/usermod -s /bin/bash johnny - unlocks his ssh account


But it won't lock ftp. So i guess using

usermod -L johnny - Locks the password so he can't get in
usermod -U johnny - Unlocks password so he can get in.

Let me know if I am on the right track.

thanks man. ;-)

Yep, right on track. The -L option messes with the password in /etc/shadow to keep the user from logging in. It adds a ! right before the encrypted password making it unusable. You can also see the what happens when using the -e option in /etc/shadow.

On the .bash_profile question, what I have found is that the user, scooby in my case, will have access to change .bash_profile unless I take away write access on the directory /home/scooby and chown root:users .bash_profile. Write access was denied even if the user was already logged in. In summary /home/scooby and .bash_profile have the following characteristics.In this setup if scooby is smart enough they can move to /home and add write access to the scooby directory since they are still the owner of that directory. After that they have the ability to write to .bash_profile and all files in the directory. You can use any owner you want on .bash_profile, I just used root because it was convenient.

Bill

Wow, this is getting a bit loppy. Lets say for all times sake the following:

I add a user in home : /home /felixthecat

Now I add a user called /home/johnny

Now i modify johnny .bash_profile -

echo "/test/./.start" >> /home/johnny/.bash_profile

Now when he logs into shell, he doesn't get a command line but a nice little ssh script with a no entry so he can't use "ctrl + c" to get to command and out the shell script.

Now I can ownership to .bash_profile


cd /home/johnny
chown felixthecat .bash_profile
chgrp felixthecat .bash_profile

He can't get out of the script in ssh so he can't goto /home to change his permissions. But he can change his permissions in smartftp becasue he needs to have write premissions so his game can log and so on.

Here's a new twist.

Lets say I make a folder in /home/johnny/.private
chmod ugo-rw /home/johnny/.private


Can I move his .bash_profile to /home/johnny/.private and it still work?

I doubt it. i guess this bash_profile was really mean for the user and belongs to the user at all times. no real way to change it without messing up the game.

OK since we can't change the .bash_profile, can we jail the ssh account to his own user folder and no more?

Now also... if we have like a teamspeak program already running in johnny

and I do
usermod -L johnny

This will only lock the password but not shut down his programs?

Looks like you are getting in pretty deep. You're right it does look a little sloppy, but I'm sure things will turn out okay in the end. Rather than do a bunch of quoting I replied using the same order as your post otherwise this would be twice as long. The first proposal you described sounds a lot like a restricted shell. I don't have much experience with SSH, it's one of those things I've been meaning to get around to.

I played around with using a restricted shell a little bit and found that you don't have to mess around with permissions and file ownership to get the results you are after. "I was wrong" earlier about setting the shell to /bin/bash -r in /etc/passwd. To put a user into a restricted shell you first need to set up a /bin/rbash symbolic link to /bin/bash in /bin. The entry in /etc/passwd is then /bin/rbash which puts the user into a restricted shell at login. It is also important to add /bin/rbash to the list of shells in the file /etc/shells.

Next I needed to determine what commands they are allowed to run and revise $PATH in .bash_profile. I set up a directory called /usr/rbin containing symbolic links to commands I wanted to allow. $PATH contained this directory along with another directory with a few scripts I wanted them to have access to. The menu you created is another way of doing it and probably more user friendly. I was surprised how good the restricted shell worked. By not giving them access to any editors or copy they were not able to change .bash_profile. In restricted shell you are not allowed to redirect input or output either so you can't backdoor a change to .bash_profile.

In the setup I made there was no real need to change ownership of .bash_profile. For an ftp server I use vsftpd and it allowed me to jail the user to their home directory. I was also able to use the deny_file option to deny them access to the .bash* files. Both the jail and deny_file were simple entries in vsftpd.conf. They still had access to write and read other files in the directory. Maybe you can find the same options in smartftp?

On your question about reassigning .bash_profile to .private. I do not know if there is a way to run that from login. There is mention about using $BASH_ENV to run scripts in non-interactive shells, but I didn't see any mention of changing what profile script is run at login.

The restricted shell jails them to their home directory by disabling the builtin cd command. You can disable other built-in commands using enable -n <command>.

Your last question about using usermod -L johnny. Using this command will not interrupt anything they are currently doing. It will just keep them from logging in again after they logout.

Bill

Check out the script in the pm. I hope I am getting close. I tried locking the password, but then the account becomes useless after I create it..lol.

Well I did buy the yearly subscription to use the private messages but it won't let me. Do you have a gmail or something?