sed help

[xmxfit]

I have a list of users who I need to disable (from /etc/passwd). I have set up disabling users on the system by appending "_no" to their shell in /etc/passwd. I am trying to do this with sed, and here is where I'm at:

Example, attempting to disable users "john" and "jack" only:

Code:

for i in john jack; do sed 's/\$i/$_no/g' /etc/passwd; done

I'm searching for the username, then trying to go to the end of the line, and append the "_no" to the shell (regardless of the shell). Obviously I am not doing it correct, but hope you get the idea of where I'm at...


For example, below is the contents from /etc/passwd file:

john:x:6000:500:John Smith:/home/john:/bin/bash
jane:x:6000:500:Jane Smith:/home/jane:/bin/tcsh
fred:x:6000:500:Fred Smith:/home/fred:/bin/bash
jack:x:6000:500:Jack Smith:/home/jack:/bin/csh

After running disable script, it should be:

john:x:6000:500:John Smith:/home/john:/bin/bash_no
jane:x:6000:500:Jane Smith:/home/jane:/bin/tcsh
fred:x:6000:500:Fred Smith:/home/fred:/bin/bash
jack:x:6000:500:Jack Smith:/home/jack:/bin/csh_no

Appreciate any help,
Thanks,
-Brian

[Irithori]

This is better be done with native tools.
The shadow suite is already prepared to lock accounts:

Code:

for ACCOUNT in john jack; do usermod --lock --expiredate 1 $ACCOUNT;done

You can use usermod --unlock --expiredate 99999 to enable the accounts again

[xmxfit]

Thanks for the help, unfortunately this system has thousands of users and we have always used this "_no" method, so we'll have to continue to use this method for disabling accounts...

Thanks,
-Brian

[Irithori]

Two things:
1) Just adding _no to the shell will not disable the account.
The password is valid, the account is not expired.
A user might still be able to get a login by forcing/requesting a different shell via ssh or (sudo) su.

Sorry to be blunt, but your current solution is useless.

2) The method I described is the default and expected one. (Apart from the fact, that it actually works )
The _no method is non-standard and a bit.. hackish.

So I would suggest to introduce the default one.

[xmxfit]

I should have clarified better but didn't wanna make this too long...we have soft-links from /bin/bash_no, /bin/tcsh_no (etc.) to /sbin/nologin - so, it infact does work perfectly fine this way. I am simply looking for a way to disable a bunch of users at once, in fact I should have left out the fact that I am trying to disable users...but rather a simple text file that I'd like to append _no at the end of specified lines (e.g. lines starting with jack, fred...).

Obviously the code I threw in there is useless, that is why I specified "Obviously I am not doing it correct, but hope you get the idea of where I'm at..."

-Brian

[Irithori]

Oops, sorry.
You are correct.
A regular user cannot choose a shell, that is not in /etc/shells.
Which is the case for e.g. /bin/bash_no.

Linking these to /sbin/nologin does somewhat enables them, but as nologin only outputs: "The account is not available", your approach is actually working.

So, if you insist on your approach, this sed might work

Code:

for ACCOUNT in john jack; do sed -r "s/^$ACCOUNT:(.*)/$ACCOUNT:\1_no/" /etc/passwd; done

Add a -i to sed for in-place editing.
A more robust implementation would probably first match the line, then split it in elements (delimiter is ":"), modify the shell and then put the line together again.

But I almost regret writing that, as the usermod approach doesnt need softlinks or ugly sed modifications/logic and is more straightforward imho.

[xmxfit]

@lrithori thanks very much, that sed code was exactly what I was looking for.

I agree I wish we had a more standardized approach to disable our users, however that is just something that was set up a long time ago before my time...I'll suggest the idea to the sys admins in the meantime.

Thanks again...

[scm]

The simplest sed pattern would be:

sed "/^$ACCOUNT:/s/$/_no/"