My original question is at the end, but a quick summary is that I want to
completely remove users from an enhanced security database and rebuild the
db without the removed user names.
A quick summary of the responses had as a consensus to use 'edauth -r',
which superficially works, but does not finish the job. As pointed out by
Alan Davis, it's not supposed to completely remove it (or it is no longer a
C2 system).
So if you really want to do the job,
do a convuser -b,
then remove the /var/tcb/files/auth.db file (keep a backup),
then remove the user(s) from /etc/passwd
then convuser -a -u
and the file will be recreated with only the entries in the current Base
passwd file. The '-u' keeps passwords usable according to the man page for
convuser.
Otherwise, edauth -r will do the job (if followed by a vipw to remove the
passwd file entry also).
Here are a couple of scripts/procedures to do it with edauth:
deluser:
USERNAME=${1}
#echo $USERNAME
/usr/sbin/userdel -r $USERNAME
/tcb/bin/edauth -r $USERNAME
if [ -s /var/spool/mail/$USERNAME ]
then
rm /var/spool/mail/$USERNAME
fi
and
# Delete the user and (-r) the home directory tree
# /usr/sbin/userdel -r <username>
# Remove user from protected database:
# /usr/tcb/bin/edauth -r <username>
# Delete the entry from /etc/passwd (creating a temporary file)
# /usr/bin/sed '/^<username>:/d' /etc/passwd > /etc/passwd.temp
# Rename the temporary file as /etc/passwd:
# /usr/bin/mv /etc/passwd.temp /etc/passwd
Many thanks to:
John Speno
Jane Zuzek
Chris Meyers
Corrine Haesaerts
Alan Davis
Marie-Claude Vialatte
Chad
At 09:09 AM 12/3/1999 -0600, Chad Price wrote:
>Having played with this for a couple of days, it's time to see if anyone
>else has any better ideas. I am trying to fully remove 'retired' accounts
>from an Enhanced Security system.
>
>The man page for usermod indicates that the -r option removes the user
>home directory and "deletes" the account. Yes it removes the home
>directory, and NO it does not delete the account. It remains in the authdb
>for enhanced security. There seems to be no way to actually remove a user
>once you have created the user...
>
>Why am I trying? I screwed up when making a script to migrate users from
>a Solaris box and forgot to put the gecos info (-c option for useradd)
>inside of quotation marks. Hence, whatever name or initial followed the
>first name became the account name (including capitalization, which authck
>complains about) and the intended account name (last parameter on the
>line) was ignored without comment.
>
>What have I tried so far? I have user convuser to extract things from
>Enhanced Security, vi to remove the unwanted account names from the passwd
>file (this is not yet a production system), and then convuser to move the
>accounts back into Enhanced Security.
>
>Well, the passwd file is ok now, and dxaccounts only shows the account
>names I want, but the db for Enhanced Security still shows all the
>accounts and the removed ones remain 'retired'. IE, there is a complete
>audit trail there and I want to start over instead...
>
>Does anyone know if I can used convuser to backtrack to Base security,
>remove the passwd db for Enhanced Security and then use convuser again to
>re-enable Enhanced Security? Will this recreate the db from scratch?
>(this is what I want) or will it render the system so that no-one can
>login? or will it do worse?
>
>Chad
Chad Price
Systems Manager, Genetic Sequence Analysis Facility
University of Nebraska Medical Center
986495 Nebraska Medical Center
Omaha, NE 68506-6495
cprice_at_molbio.unmc.edu
(402) 559-9527
(402) 559-4077 (FAX)
Received on Fri Dec 03 1999 - 16:54:01 NZDT