Hi to all admins,
My environment :
Alpha 4100, 2 CPU,2GB RAM
DU 4.0D (with PK 6, I think)
I have small trouble with our new security and audit plan.
After a meeting with oracle, we will now accept the OS authorization as the
oracle authorization, So terminal (or applicaiton) users, will logon to our
unix system and then automatically to oracle...They will *never* drop to
shell. And unix user codes will be used for audit operations in oracle
But some problems came to existance...
- I have to create >200 accounts each will have rsh as their shell.
- And most problematic one, I have to write and implement a password change
method to that terminal users
For first problem (account creation) I have been slowly creating accounts..
(But anyway I am open to good offers...)
But for password change , I have some serious problems..
1- I have found a C code in our mail list archives. and compiled it.
Basaically , It opens a pipe to unix password program and feeds user's new
password to it.
It closes stdout/stderr to fool unix passwd program, and opens a new stderr
(mystderr) and prints output messages to mystderr...
But after popen to unix password program, I could not print error messages
to terminal screen. Then I have seen that it works in ksh but in rsh it just
dont show anyhting after that point... what is the problem beween the
program and rsh?
2- and maybe more importantly; where should I put the password change
program, If I put it in the .profile at each login, it will ask to the user
whether he wants to change his password or not , BUT this is not logical
(may be user will need password change after a month..)So where should I put
it ...
what do you suggest...?
Thank you gor your time and response ...
-----------------Program source-------------------
*previous lines are cut*
...
/* get a private stderr, then close stderr/stdout to silence pwd programs
*/
if ((fd = dup(2)) < 0) {
fprintf(stderr, "ERROR:. Couldn't dup error-output fd, exiting...\n");
exit(1);
}
if ((mystderr = fdopen(fd, "w")) == NULL) {
fprintf(stderr, "ERROR: Couldn't fdopen new stderr fd, exiting...\n");
exit(1);
}
close(1);
close(2);
/* detach from controlling tty to convince passwd to read stdin for pw */
if ((fd = open("/dev/tty", O_RDWR)) >= 0) {
if (ioctl(fd, TIOCNOTTY) < 0) {
fprintf(mystderr, "ERROR: Failed to detach from /dev/tty: %s,
exiting...\n",
strerror(errno));
exit(1);
}
close(fd);
}
/* shuffle UIDs for permissions - we expect to be running SUID-root */
origuid = getuid();
if (setuid(geteuid()) != 0) {
fprintf(mystderr, "ERROR: Failed to properly set UID, exiting...\n");
exit(1);
}
/* open a pipe to and then feed the standard Unix passwd program, slowly
*/
if (isatty(0))
fprintf(mystderr, "Changing UNIX password, please wait...\n");
fflush(mystderr);
}
strcpy(cmd, PASSWD);
strcat(cmd, " ");
strcat(cmd, pwentry->pw_name);
if ((cmdpipe = popen(cmd, "w")) == NULL) {
fprintf(mystderr, "ERROR: Can't open pipe to '%s', exiting...\n", cmd);
exit(1);
}
sleep(3);
/* I COULD GET THE FPRINTF(MYSTDERR."BLA BLA"); UP TO THIS POINT. AFTER
HERE, IT DOES NOT PRINT ANYTHING ON TO SCREEN IN RSH (RESTRICTED SHELL) */
fprintf(cmdpipe, "%s\n", new); fflush(cmdpipe); sleep(2);
fprintf(cmdpipe, "%s\n", new); fflush(cmdpipe); sleep(2);
if ((status = pclose(cmdpipe)) != 0) {
fprintf(mystderr, "ERROR: error code is :%d, \n exiting...\n",
status);
exit(1);
}
if (isatty(0))
fprintf(mystderr, "PASSWORD HAS CHANGED.\n");
exit(0);
}
/* end of program */
--------------program finished-----------------
selcuk.karaca_at_aski.gov.tr
Unix sys Admin
ASKI - ANKARA
Received on Thu Nov 30 2000 - 14:27:27 NZDT