Thursday, January 27, 2011

user admin in linux

where i work, we currently ship our linux software to independent sites around the US.

the sites need a way to configure their users for these systems.  they need to be able to add and delete users, as well as reset and change passwords.

there are two ways of doing this: add user management into your software itself, and run everything within the OS as one main user, or use OS users, and let the OS do the work.

i prefer the second option, which is what i am going to discuss here.

now, you have 3 options of letting the OS do the work.  you can:
  • simply let the root account do all of the admin (via logging into root)
  • let the users themselves perform the user admin via sudo.  this would require a cleverly constructed sudoers list, where you give passwd, useradd, and userdel access to a specific group of users or groups.
  • use the sticky bit in linux, perform a setuid, and still let the normal users perform the admin.  this isn't much different than the second option, other than it would require the end users to know the root password if they want to do any user admin.  then, in your code, once you have the root password from the user, you change your userid, execute the command, and change the uid back.
i prefer the second way of doing it.  it requires less people to have access to the root account/password, and we can restrict things very nicely in the sudoers file.

No comments:

Post a Comment