Re: setting the password of a automatically created account
On 9/5/2013 6:52 PM, Aryeh Friedman wrote: I have a port that needs to create a a user of a given name and a given default password... I found in the porters guide how to make the account but not set the password Because you must not do that. You can't even reliably do that. There are many cases where setting the password via any locally-available method will not work. Some examples: - The site uses LDAP, AD, etc. and the local system does not have the PAM configuration to feed back password changes; - Passwd, pw, etc. are disabled and users may only change their password at a secure portal; - Users may not change their passwords at all; - The system doesn't use user passwords at all. That last is common in in internet-facing servers, where login access is keys-only ssh and/or root-only console as a countermeasure against dictionary attacks. Your port can't detect these policies and can't work around them. The best you can do is include documentation stating what needs access above a login-disabled pseudouser. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: setting the password of a automatically created account
On 9/5/2013 9:00 PM, Aryeh Friedman wrote: related questions: 1. How do I add the user to wheel (has it's own group but needs to be in wheel for reason number #2)? 2. How do I modify (in the safest possible way) an other port's installed config file(s) (namely I need to in the case of this port modify /usr/local/etc/sudoers to allow the no password option for wheel members)? The answer to both is you don't. Include documentation telling the admin exactly what needs special access or elevated priveleges and let the admin make that happen. If you think something needs root because it needs to open something in /dev, tell the admin it needs to do something with /dev/foo. Devd and other mechanisms can provide that without root access. The same idea applies to almost all of what people typically think requires root access. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: setting the password of a automatically created account
Sorry not possible due to who the target audience is (no competent admin available)... I found a better solution last night a quick and dirty suid wrapper that calls the right program On Fri, Sep 6, 2013 at 1:00 PM, Darren Pilgrim < list_free...@bluerosetech.com> wrote: > On 9/5/2013 9:00 PM, Aryeh Friedman wrote: > >> related questions: >> >> 1. How do I add the user to wheel (has it's own group but needs to be in >> wheel for reason number #2)? >> 2. How do I modify (in the safest possible way) an other port's installed >> config file(s) (namely I need to in the case of this port modify >> /usr/local/etc/sudoers to allow the no password option for wheel members)? >> > > The answer to both is you don't. Include documentation telling the admin > exactly what needs special access or elevated priveleges and let the admin > make that happen. If you think something needs root because it needs to > open something in /dev, tell the admin it needs to do something with > /dev/foo. Devd and other mechanisms can provide that without root access. > The same idea applies to almost all of what people typically think > requires root access. > ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: setting the password of a automatically created account
Aryeh Friedman wrote: > 1. How do I add the user to wheel (has it's own group but needs >to be in wheel for reason number #2)? > 2. How do I modify (in the safest possible way) an other port's >installed config file(s) (namely I need to in the case of this >port modify /usr/local/etc/sudoers to allow the no password >option for wheel members)? Others may disagree, but I would be very hesitant to make this a requirement for the port. Whether all wheel-group members (not just this port) should have no-password access to sudo is very much a policy decision, and a port -- like the rest of the system -- should provide mechanism rather than dictating policy. What are you trying to accomplish? Could you, for example, provide no-password sudo privilege to this port's unique user or group, instead of changing a global policy? As far as how to go about modifying sudoers, perhaps the sudo port docs have some suggestions? > Since the account's shell that is created is a custom shell for > the port there is no security wholes we know about.. even so what > kind of (if any) security warnings should we put on the port? For it to require no-password sudo privilege is a huge red flag. If that's truly necessary, it should be noted very prominently. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: setting the password of a automatically created account
related questions: 1. How do I add the user to wheel (has it's own group but needs to be in wheel for reason number #2)? 2. How do I modify (in the safest possible way) an other port's installed config file(s) (namely I need to in the case of this port modify /usr/local/etc/sudoers to allow the no password option for wheel members)? Since the account's shell that is created is a custom shell for the port there is no security wholes we know about.. even so what kind of (if any) security warnings should we put on the port? On Thu, Sep 5, 2013 at 11:00 PM, Perry Hutchison wrote: > Aryeh Friedman wrote: > > > I have a port that needs to create a a user of a given name and a > > given default password... I found in the porters guide how to make > > the account but not set the password > > This is one of the canonical uses of lang/expect. > ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: setting the password of a automatically created account
Aryeh Friedman wrote: > I have a port that needs to create a a user of a given name and a > given default password... I found in the porters guide how to make > the account but not set the password This is one of the canonical uses of lang/expect. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
Re: setting the password of a automatically created account
On Thu, Sep 5, 2013 at 9:52 PM, Aryeh Friedman wrote: > I have a port that needs to create a a user of a given name and a given > default password... I found in the porters guide how to make the account > but not set the password > ___ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" > this isn't the official way I'm sure, but a dirty hack could be: echo password123 | pw usermod mynewuser -h 0 2>&1 -- Sam Fourman Jr. ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
setting the password of a automatically created account
I have a port that needs to create a a user of a given name and a given default password... I found in the porters guide how to make the account but not set the password ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"