Cron script won't run
As you can probably surmise from my forum name, I have been involuntarily thrust into the role of sysadmin for my company, at least temporarily. I know just enough to get started, but not enough to get the results I need. (for reference, we are running Debian)
I have a cron routine, (a perl script), that periodically adds new user entries from a database to our system's general user files (/etc/passwd, /etc/shadow). Problem is that our previous admin had the script running under his username, and when we disabled his access, the script stopped having the authority to add the users. I assume he had modified his user profile to have the system consider his account to have root privileges while it is running.
Now that his account is gone, I have created a new user profile for the process, and inserted the name/password combination into the script. The script still cannot run properly. I believe I need to somehow set this new user's attributes to allow it root privileges for this script, but I do not know the specifics of doing so.
If anyone can help, it would be appreciaated.
You cannot make an account other than the root account have root privileges (having root privileges is defined as having UID 0, which of course only root has), so that's probably not what he had done. Instead, he might have chown'ed /etc/passwd to his account, for example. Check the ownership of /etc/passwd (ls -l /etc/passwd) to see if that might be what he had done.
As an alternative, couldn't you just make the script run as root?
Actually, the owner of the /etc/passwd file is listed as root. I have tested the script, using the root access from within it, and it works OK.
I don't know about the security implications of having the root credentials/access in the script, so I'm not quite ready to keep that in place. Thanks for the input. I'm reasonably sure he was able to give his user the ability to add users to the system - I just don't yet know how.
Well, the only way to do that would be to somehow make /etc/passwd writable by his user. Are you by any chance using POSIC ACLs on this system? What is the group ownership and actual permissions of /etc/passwd?
Upon issuing the command
ls -l /etc/passwd
-rw-r--r-- 1 root root 108989 Mar 3 18:30 /etc/passwd
This seems to indicate that the owner is root, the group is root, and permissions are read-only for anyone but root.
How do I determine the presence/use of the POSIX routines/functions? I still find no indication that he used any other than his credentials for the routines. Somehow he was able to grant that user root permissions, either just for that routine, or on a permanent basis.
I'm stumped. Thanks for your help.
The thing is that there are probably hundreds of ways to do it. If you want to find out how he did it, you should probably ask him.
If you just want to get it working, I'd say that one of the best ways would be to chown /etc/passwd to root:adm, chmod it to 664 and add yourself to the adm group. Another way is to use POSIX ACLs, but if they're not already installed, you'll probably have to patch the kernel to get it working. A third way is to create a SUID root binary to do that small part of the work.