Re: Is there a deluser equivalent in OpenBSD?
On Oct 29, 2006, at 11:15 AM, Ingo Schwarze wrote: Leonardo Rodrigues wrote on Sun, Oct 29, 2006 at 01:45:15PM -0300: Though, it seems a bit strange that OpenBSD lacks something like that. Look at it from a different perspective: There are other operating systems out there featuring thousands of lines of complicated scripts just to ensure that users never need to do simple tasks themselves. I agree that is overkill for more esoteric tasks but for something as common as user management the basics should be built into the OS. Why require users to go writing their own scripts for common tasks? To me the whole point of using software is to remove the tedious parts and let the humans concentrate on the parts that the computer cannot do. In addition to the usual simplicity improves maintainability and usability argument, my impression is that OpenBSD actively encourages users to understand how the system works - and to understand which tasks are simple and which ones aren't. This may seem like simplicity but in reality this forces multiple implementations for the deluser command as everyone writes their own scripts. This decreases security since each custom script is unlikely to be audited for correctness and completeness by as many users as part of the main source tree would. Additionally, this wastes time by forcing users to reinvent the wheel of user management rather than adding new features to the OS. On first sight, an additional option remove from group to usermod(8) might not hurt much. As a second thought, how would you call it, -g and -G are already occupied; yet it is important for learners to have option names as few and as mnemonic as possible, and please lets not get into --remove-from-group. As a third thought, what might be the next special case that somebody could come up with for plausible reasons? And finally, once you add an option, you have to live with it for good, as somebody will certainly rely on it. The idea that a feature should not be added because we do not have a handy and simple menmonic for it is absurd. We should consider the inclusion of a feature on the basis of its usefulness and the number of users who would benefit. Also, making a feature part of the main source tree allows the usage and behavior to be standardized. Even if the perfect mnemonic is already taken as long as the interface is standardized and sane it will still be usable. Elio Grieco
Re: Is there a deluser equivalent in OpenBSD?
On Mon, Oct 30, 2006 at 12:38:59AM -0500, Eric Furman wrote:
| On Sun, 29 Oct 2006 23:12:49 +0100 (CET), Otto Moerbeek
| [EMAIL PROTECTED] said:
| but as has been pointed out, it is trivial to write a script
| that would automatically go out and modify /etc/group
| on even a large number of boxes.
|
| This is rough, needs polishing, use at own risk, blah blah...
|
| BOXES=server1 server 2 server3. . .
|
| for box in $BOXES
| do
| { sleep 5;echo username;sleep 2;echo password;sleep 2;
| echosudo do some command left as exercise for reader;
| sleep 3;echo exit; } |telnet $box 2/tmp/rcmd.error 1/dev/null
| done
|
| You got to be kidding. This is the worst script I've seen in ages.
|
| I only offered this because the OP seemed to indicate that he had
| a large number of machines and it would be inconvenient to make
| the change to /etc/group on all of them. If you administer several
| dozen to more than a hundred machines it is quite inconvenient to
| do this. If there is a better way of doing this I would be quite
| interested in hearing about it. Please do not point out the security
| implications of this. It has already been greatly considered. It
| should be clearly obvious how this can be made safe. And no, I
| haven't used telnet in nearly ten years, but I and all my users
| always type telnet at the command line. It's familiar.
| I offered help. You offered nothing but useless noise.
You offered no such thing, I'm afraid. If you haven't used telnet for
nearly ten years[1], why do you still type it at the command line ?
Don't pipe sleep and echo's (esp. passwords) to telnet. Not a good
plan. This is horribly insecure in multiple ways. Even if you had
greatly considered these, you should have indicated as much. People
not as experienced as you may read your example and take it for a good
solution, security-wise.
BOXES=your set of machines
ID=the username you want to have run the script
CMD=some command left as exercise for reader
for box in ${BOXES}
do
ssh [EMAIL PROTECTED] ${CMD}
done
Don't forget to set up proper keys for authenticating and using an
ssh-agent on the machine you're doing this from. This still may not be
the best way to handle many machines (as in, 1000s) as the
serialisation will make your machines be out of sync for quite a long
time. If ${CMD} is overly complex, consider putting everything in a
script, and add an `scp ${script} [EMAIL PROTECTED]:/tmp/` before the
ssh-line and change that line to `ssh [EMAIL PROTECTED] sh /tmp/${script}`
Please don't offer bad help. Better to offer nothing at all.
Paul 'WEiRD' de Weerd
[1]: I still use telnet on a daily basis, I just don't use telnetd.
--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
http://www.weirdnet.nl/
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: Is there a deluser equivalent in OpenBSD?
It was pointed out to me in private e-mail that I mistakenly assumed
telnet to be telnet and not ssh. I'm quoting parts of the private
e-mail I received to the list in the hopes of educating others on the
use of ssh.
On Mon, Oct 30, 2006 at 04:04:34PM -0500, Eric Furman wrote:
| On Mon, 30 Oct 2006 10:12:58 +0100, Paul de Weerd [EMAIL PROTECTED]
| said:
| You offered no such thing, I'm afraid. If you haven't used telnet for
| nearly ten years[1], why do you still type it at the command line ?
|
| telnet is a link to ssh. I thought that was obvious.
Not quite, no. Apart from breaking stuff for your users, you even used
the wrong semantics for ssh (telnet) in your script :
for box in $BOXES
do
{ sleep 5;echo username;sleep 2;echo password;sleep 2;
echosudo do some command left as exercise for reader;
sleep 3;echo exit; } |telnet $box 2/tmp/rcmd.error 1/dev/null
done
You first echo username and then password. If you've used telnet
and ssh(1) a few times, you'd know that telnet/telnetd will ask for a
username, ssh/sshd will not. The last combination defaults to your
current username or takes the one given on the commandline.
If you knew a bit about the inner workings of both, you'd also know
why this is. Your example script uses telnet-style semantics and the
telnet-commandname. That makes it somewhat unlikely that it really is
the ssh-binary you're executing. Unless of course you have no
experience in writing scripts like these, in which case I see no
reason for you to bad mouth Otto for voicing his opinion *against*
your script.
| Don't pipe sleep and echo's (esp. passwords) to telnet. Not a good
|
| It's not actually telnet.
This is wrong in so many ways. If you want to prevent your users
from using telnet, replace telnet with a `echo telnet is deprecated,
use ssh in stead`-script. But as I indicated in my original e-mail,
there's a lot of use for telnet(1), so you may not want to do this.
You keep using telnet when you really shouldn't be using this. When
you or your users are on another system, you'll stick to using telnet.
This is s wrong.
Educate yourself and your users. Learn to use ssh. Even on trusted
networks - it's just good practice.
Paul 'WEiRD' de Weerd
--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
http://www.weirdnet.nl/
[demime 1.01d removed an attachment of type application/pgp-signature]
Re: Is there a deluser equivalent in OpenBSD?
On 2006/10/29 00:04, Leonardo Rodrigues wrote: Actually, it wouldn't be practical to manually edit /etc/group. An userdel-like command is needed in the smb.conf of the samba server in order to graphically and easily manage users on the server by using a Windows NT server tool. Either write a script to do it (simple shell scripting is enough, or perl or something else could be more elegant), or google and see if you can find something suitable since the problem must exist for some other OS too.
Re: Is there a deluser equivalent in OpenBSD?
Nick Guenther wrote on Sat, Oct 28, 2006 at 11:21:40PM -0400: On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Actually, it wouldn't be practical to manually edit /etc/group. [...] Also, er, call me dumb, but after rereading usermod(8), I really see no way to explicitly remove an user from a group... =( [...] As a hack, could you write a short script to edit it and call that? cd /etc \ sed '/^foogroup/s/baruser,*//' group group.new \ mv group.new group This is a noop unless baruser is a member of foogroup, but it changes the /etc/group ctime even then. Hm. cd /etc \ sed '/^foogroup/s/baruser,*//' group group.new \ ; diff group group.new \ rm group.new \ echo no change \ || mv group.new group
Re: Is there a deluser equivalent in OpenBSD?
Thanks everyone for the input. I guess I'll stick to a little script then =) Though, it seems a bit strange that OpenBSD lacks something like that. I thought it was a given. -- An OpenBSD user... and that's all you need to know =)
Re: Is there a deluser equivalent in OpenBSD?
Leonardo Rodrigues wrote on Sun, Oct 29, 2006 at 01:45:15PM -0300: Though, it seems a bit strange that OpenBSD lacks something like that. Look at it from a different perspective: There are other operating systems out there featuring thousands of lines of complicated scripts just to ensure that users never need to do simple tasks themselves. In addition to the usual simplicity improves maintainability and usability argument, my impression is that OpenBSD actively encourages users to understand how the system works - and to understand which tasks are simple and which ones aren't. On first sight, an additional option remove from group to usermod(8) might not hurt much. As a second thought, how would you call it, -g and -G are already occupied; yet it is important for learners to have option names as few and as mnemonic as possible, and please lets not get into --remove-from-group. As a third thought, what might be the next special case that somebody could come up with for plausible reasons? And finally, once you add an option, you have to live with it for good, as somebody will certainly rely on it. At least, i understand that features of this kind are not top priority.
Re: Is there a deluser equivalent in OpenBSD?
On Sat, 28 Oct 2006, Philip Guenther wrote: On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Thanks, but usermod (with -G arg) seems to only let me add users to a group or multiple groups, but not remove them . The man page, from what I could understand, also says nothing about removing users =( I would call this a bug in usermod: when run with the -G option it should set the user's secondary group list to include exactly the indicated groups. That's how usermod operates under Solaris and Linux and is the obvious way to provide the functionality, though it _is_ kind of klunky. No worries, usermod -G sets the secondary group list, like the man pages says and like other systems do. -Otto
Re: Is there a deluser equivalent in OpenBSD?
On Sun, 29 Oct 2006, Otto Moerbeek wrote: On Sat, 28 Oct 2006, Philip Guenther wrote: On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Thanks, but usermod (with -G arg) seems to only let me add users to a group or multiple groups, but not remove them . The man page, from what I could understand, also says nothing about removing users =( I would call this a bug in usermod: when run with the -G option it should set the user's secondary group list to include exactly the indicated groups. That's how usermod operates under Solaris and Linux and is the obvious way to provide the functionality, though it _is_ kind of klunky. No worries, usermod -G sets the secondary group list, like the man pages says and like other systems do. Oops, my memory and test were both wrong. Indeed, -G does not delete membership. -Otto
Re: Is there a deluser equivalent in OpenBSD?
Otto Moerbeek wrote:
No worries, usermod -G sets the secondary group list, like the
man pages says and like other systems do.
Oops, my memory and test were both wrong. Indeed, -G does not
delete membership.
This seems to produce a groups file with all old systemaccounts
removed.
~% cat cleangroups
#!/bin/sh
cat /etc/group |while read line; do
unset newusers
users=${line##*:}
group=${line%:*}
for user in $(echo $users|tr ',' ' '); do
if userinfo -e $user; then
if [ -n $newusers ]; then
newusers=$newusers,$user
else
newusers=$user
fi
fi
done
echo $group:$newusers
done
# Han
Re: Is there a deluser equivalent in OpenBSD?
On Sun, 29 Oct 2006 19:15:56 +0100, Ingo Schwarze [EMAIL PROTECTED] said: Leonardo Rodrigues wrote on Sun, Oct 29, 2006 at 01:45:15PM -0300: Though, it seems a bit strange that OpenBSD lacks something like that. On first sight, an additional option remove from group to usermod(8) might not hurt much. As a second thought, how would you call it, -g and -G are already occupied; yet it is important for learners to have option names as few and as mnemonic as possible, and please lets not get into --remove-from-group. As a third thought, what might be the next special case that somebody could come up with for plausible reasons? And finally, once you add an option, you have to live with it for good, as somebody will certainly rely on it. Instead of usermod -G group
Re: Is there a deluser equivalent in OpenBSD?
On Sun, 29 Oct 2006 19:15:56 +0100, Ingo Schwarze [EMAIL PROTECTED]
said:
On first sight, an additional option remove from group to usermod(8)
might not hurt much. As a second thought, how would you call it, -g
and -G are already occupied; yet it is important for learners to
have option names as few and as mnemonic as possible, and please lets
not get into --remove-from-group. As a third thought, what might be
the next special case that somebody could come up with for plausible
reasons? And finally, once you add an option, you have to live with
it for good, as somebody will certainly rely on it.
instead of usermod -G group; to add to group. you could
usermod -G - group; to remove from group
just a thought...
but as has been pointed out, it is trivial to write a script
that would automatically go out and modify /etc/group
on even a large number of boxes.
This is rough, needs polishing, use at own risk, blah blah...
BOXES=server1 server 2 server3. . .
for box in $BOXES
do
{ sleep 5;echo username;sleep 2;echo password;sleep 2;
echosudo do some command left as exercise for reader;
sleep 3;echo exit; } |telnet $box 2/tmp/rcmd.error 1/dev/null
done
Re: Is there a deluser equivalent in OpenBSD?
On Sun, 29 Oct 2006, Eric Furman wrote:
On Sun, 29 Oct 2006 19:15:56 +0100, Ingo Schwarze [EMAIL PROTECTED]
said:
On first sight, an additional option remove from group to usermod(8)
might not hurt much. As a second thought, how would you call it, -g
and -G are already occupied; yet it is important for learners to
have option names as few and as mnemonic as possible, and please lets
not get into --remove-from-group. As a third thought, what might be
the next special case that somebody could come up with for plausible
reasons? And finally, once you add an option, you have to live with
it for good, as somebody will certainly rely on it.
instead of usermod -G group; to add to group. you could
usermod -G - group; to remove from group
just a thought...
but as has been pointed out, it is trivial to write a script
that would automatically go out and modify /etc/group
on even a large number of boxes.
This is rough, needs polishing, use at own risk, blah blah...
BOXES=server1 server 2 server3. . .
for box in $BOXES
do
{ sleep 5;echo username;sleep 2;echo password;sleep 2;
echosudo do some command left as exercise for reader;
sleep 3;echo exit; } |telnet $box 2/tmp/rcmd.error 1/dev/null
done
You got to be kidding. This is the worst script I've seen in ages.
-Otto
Re: Is there a deluser equivalent in OpenBSD?
On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Hello everyone, So, I'm trying to set up a samba server, and looking into the smb.conf, there's this command deluser that I can't find a similar one on OpenBSD to replace it. I need a tool that is able to delete a user from a group, by using the username and the group as arguments. I've looked on userdel, useradd, groupmod and groupdel, but it seems that they won't do what I want... I think I'm missing something pretty obvious... =( Can anyone give me some hints please? -- An OpenBSD user... and that's all you need to know =) man rmuser -- -Lawrence -Student ID 1028219
Re: Is there a deluser equivalent in OpenBSD?
On Sat, Oct 28, 2006 at 06:30:33PM -0300, Leonardo Rodrigues wrote: Hello everyone, So, I'm trying to set up a samba server, and looking into the smb.conf, there's this command deluser that I can't find a similar one on OpenBSD to replace it. I need a tool that is able to delete a user from a group, by using the username and the group as arguments. I've looked on userdel, useradd, groupmod and groupdel, but it seems that they won't do what I want... I think I'm missing something pretty obvious... =( Can anyone give me some hints please? Sorry, didn't read everything before replying before. See if usermod will work. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Is there a deluser equivalent in OpenBSD?
The man page says rmuser only accepts an username as an argument... Thanks, but usermod (with -G arg) seems to only let me add users to a group or multiple groups, but not remove them . The man page, from what I could understand, also says nothing about removing users =( -- An OpenBSD user... and that's all you need to know =)
Re: Is there a deluser equivalent in OpenBSD?
On Sat, Oct 28, 2006 at 07:29:41PM -0300, Leonardo Rodrigues wrote: The man page says rmuser only accepts an username as an argument... Thanks, but usermod (with -G arg) seems to only let me add users to a group or multiple groups, but not remove them . The man page, from what I could understand, also says nothing about removing users =( Try userdel(8).
Re: Is there a deluser equivalent in OpenBSD?
Humm... From the man page of userdel(8): DESCRIPTION The userdel utility removes a user from the system, optionally removing that user's home directory and any subdirectories. So, it won't remove an user from a group, but an user from the entire system. No signs of removing from a group on the entire man page... Geez... seems like I won't find what I'm looking for... -- An OpenBSD user... and that's all you need to know =)
Re: Is there a deluser equivalent in OpenBSD?
On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Humm... From the man page of userdel(8): DESCRIPTION The userdel utility removes a user from the system, optionally removing that user's home directory and any subdirectories. So, it won't remove an user from a group, but an user from the entire system. No signs of removing from a group on the entire man page... Geez... seems like I won't find what I'm looking for... Just edit the group itself, see /etc/group. Also take a look at usermod(8) again. -Nick
Re: Is there a deluser equivalent in OpenBSD?
Just edit the group itself, see /etc/group. Also take a look at usermod(8) again. -Nick First, thanks for the help everyone =) Actually, it wouldn't be practical to manually edit /etc/group. An userdel-like command is needed in the smb.conf of the samba server in order to graphically and easily manage users on the server by using a Windows NT server tool. Also, er, call me dumb, but after rereading usermod(8), I really see no way to explicitly remove an user from a group... =( By using -G or -g, it seems to be only able to add groups to an user, and not remove users from a given group... -- An OpenBSD user... and that's all you need to know =)
Re: Is there a deluser equivalent in OpenBSD?
On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Just edit the group itself, see /etc/group. Also take a look at usermod(8) again. -Nick First, thanks for the help everyone =) Actually, it wouldn't be practical to manually edit /etc/group. An userdel-like command is needed in the smb.conf of the samba server in order to graphically and easily manage users on the server by using a Windows NT server tool. Also, er, call me dumb, but after rereading usermod(8), I really see no way to explicitly remove an user from a group... =( By using -G or -g, it seems to be only able to add groups to an user, and not remove users from a given group... You are absolutely correct. I'm not too sure on it myself. As a hack, could you write a short script to edit it and call that? My other idea was something along the lines of dumping the list of all secondary groups the user is currently in and then running usermod -G[list of groups minus the one to remove] This is actually pretty tricky. There should be a way to do this. That means we are probably all just missing it. -Nick
Re: Is there a deluser equivalent in OpenBSD?
On 10/28/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Thanks, but usermod (with -G arg) seems to only let me add users to a group or multiple groups, but not remove them . The man page, from what I could understand, also says nothing about removing users =( I would call this a bug in usermod: when run with the -G option it should set the user's secondary group list to include exactly the indicated groups. That's how usermod operates under Solaris and Linux and is the obvious way to provide the functionality, though it _is_ kind of klunky. Philip Guenther
Re: Is there a deluser equivalent in OpenBSD?
Philip Guenther wrote: I would call this a bug in usermod: when run with the -G option it should set the user's secondary group list to include exactly the indicated groups. That's how usermod operates under Solaris and Linux What's more, I've seen *NIXes that had a -R option to groupmod that would remove users from groups. As Nick stated though, this is pretty trivial to write a script for. -JR [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
