Re: [vox-tech] Can a username be changed?
On Sun, Feb 09, 2003 at 02:55:24PM -0800, ME wrote: > > No, that was provided as an example of what kinds of problems could come > up when assumptions are made about the user's home dir != their > username... Oh, whoops. I was skimming too quickly. :^) Sorry -bill! -- [EMAIL PROTECTED]Was I useful? Rate this message! http://newbreedsoftware.com/bill http://svcs.affero.net/rm.php?r=billkendrick ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
Bill Kendrick said: > On Sun, Feb 09, 2003 at 01:58:58PM -0800, ME wrote: > >> (Hey kids, dont try this at home) >> # cd /home >> # for i in * ; do chown ${i}.${i} $i ; done > > Actually, just changing the old username to the new one > in /etc/group seemed to fix the group ownership problems. > > File ownership changed magically after doing the "usermod" > command Foo suggestion.' No, that was provided as an example of what kinds of problems could come up when assumptions are made about the user's home dir != their username... ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
On Sun, Feb 09, 2003 at 01:58:58PM -0800, ME wrote: > (Hey kids, dont try this at home) > # cd /home > # for i in * ; do chown ${i}.${i} $i ; done Actually, just changing the old username to the new one in /etc/group seemed to fix the group ownership problems. File ownership changed magically after doing the "usermod" command Foo suggestion. Thanks. -- [EMAIL PROTECTED]Was I useful? Rate this message! http://newbreedsoftware.com/bill http://svcs.affero.net/rm.php?r=billkendrick ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
On Sun, Feb 09, 2003 at 01:44:22PM -0800, Jeff Newmiller wrote: > > I would also make sure to rename their mail spool file, This user doesn't get mail. :^) This user doesn't even get to run a shell or see files in their home directory. (I'm working on the kiosk box for Newsbeat, now that KDE 3.1 came out. I decided "newsbeat" was a 'friendlier' username than "default", since now when you click the big "K" menu, it says "Logout 'username'") > and do a > find /etc -type f | xargs grep oldusername Hehe... ouch. Naming the user "default" back in the beginning was a bad idea. ;^) I don't see anything important, though... > to find places like the sudo configuration files that might reference > their usernames. Other applications like "mysql" or "samba" might also > maintain parallel configurations for that username. See above, re: kiosk ;^) I suppose I should have mentioned how restricted the user was when I asked the question to begin with. Most of the 'beware' details don't apply to this. :^) ITOH, everyone's info. is all quite helpful, it seems, and is happily archived on lugod.org ;^) Thanks, all! -- [EMAIL PROTECTED]Was I useful? Rate this message! http://newbreedsoftware.com/bill http://svcs.affero.net/rm.php?r=billkendrick ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
On Sun, Feb 09, 2003 at 01:35:41PM -0800, Foo Lim wrote: > Hi Bill, > > I've never had to change someone's login, but you might look into > usermod(8). It worked like a charm. Thanks, Foo! -bill! -- [EMAIL PROTECTED]Was I useful? Rate this message! http://newbreedsoftware.com/bill http://svcs.affero.net/rm.php?r=billkendrick ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
(some mistakes fixed) ME said: > Using vipw or some other tool for editing /etc/passwd is a way to do > this. > > Be careful in this. Some potential "gotchas": > > Often home dirs are namedafter the username. It is a good idea to alter > name of home dir to match new username. Some scripts may do things > "improperly" and do a `whoami` and use this for paths, or assume > username matches /home/ when doing shell looped shell scripts... > > (Hey kids, dont try this at home) > # cd /home > # for i in * ; do chown ${i}.${i} $i ; done > > Also, you may want to grep their homedir "dotfiles" for refs to their > old username. Some apps will redord the user's home dir in env vars and > stoe them in ~/.some.dot.file > > If users share apps and have asked others to symlink to stuff they had > in their old dir, then relative links from outside their dir will be > broken, and all absolute path links will be busted. > > If you installed other tools that use db generated with the > adduser/useradd scripts, then any username db may "get out of sync by > changing username. > > Cron jobs (username based) The files are named after the username, and the control for cron.allow/deny is username based. (I was not detailed enough here.) > If you have filesharing setup with abolute paths (not relative or > username resolvable like samba and netatalk's ~/ or $HOME, then consider > changing those too. I don't recall if samba and netatalk dynamically ref these for each connection, or at startup from /etc/passwd. Daemons may need to be restarted, but probably most won't. > Any .htaccess files that ref specific users by name instead of "require > valid-user" and unwisely use /etc passwd (most of th thime this is not > wise) will ned to be changed. > > /var/spool/mail/username ? consider a mail alias and move for new name. > > Entries in /etc/groups should be global searched and reolaced to new > uid. Sorry. Jumbled two thought into one. (faulty compression routine.) Many Linus distros user a group name that matches the username. Locate the gid and alter that gid's group name to match the new username. also, if that older username is in several groups, make sure and do a global search and replace of the old username to the new one to preserve special group access. > As you write, ensure /etc/shadow matches (vipw will likely ask you if > you want to edit shadow after you edit passw if you made changes and are > using shadow passwords.) > > You may want to consider ocating files owned by them or named with their > usernamed before enacting changes to help this process: > > # find / -name \*USERNAME\* -print > /tmp/USERNAME.named.files.txt > # find / -user USERNAME -print > /tmp/USERNAME.user.owned.files.txt > # find / -group USERNAME -print > /tmp/USERNAME.group.owned.files.txt > # cat /tmp/USERNAME.group.owned.files.txt | sort | uniq -u > \ > /tmp/USERNAME.user.diff.group.files.txt Big oops for last command. changed to: # cat /tmp/USERNAME.user.owned.files.txt \ /tmp/USERNAME.group.owned.files.txt | sort | uniq -u > \ /tmp/USERNAME.user.diff.group.files.txt It tries to locate collisions in both lists and look for anomalies. This permits you to just look at the anomalies and either the group or username text files. (saves time) > I'm sure there are other places to check, and hope others will fill in > any holes I have left in omission. > > So you can do this -I've done it several times: just be careful and > checkback occasionally with user to make sure all is happy. :-) > > (Skip this last step if you are a BOFH.) > > (more below) > > Bill Kendrick said: >> >> Is there a way to change a user's login name under Unix? > > Yes. > >> Is it safe enough to simply rename their home directory and >> edit their entry in /etc/passwd and /etc/shadow? > > Sometimes, but usually, no. > >> Or am I dealing with dangerous powers, and would be safe enough >> creating a brand new user and deleting the old one? > > You are always dealing with dangerous powers (mr "has a special > relationship with the video frame buffer") but you can manage "dangerous > powers." ;-) -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
Using vipw or some other tool for editing /etc/passwd is a way to do this. Be careful in this. Some potential "gotchas": Often home dirs are namedafter the username. It is a good idea to alter name of home dir to match new username. Some scripts may do things "improperly" and do a `whoami` and use this for paths, or assume username matches /hom/ when doing shell looped shell scripts... (Hey kids, dont try this at home) # cd /home # for i in * ; do chown ${i}.${i} $i ; done Also, you may want to grep their homedir "dotfiles" for refs to their old username. Some apps will redord the user's home dir in env vars and stoe them in ~/.some.dot.file If users share apps and have asked others to symlink to stuff they had in their old dir, then relative links from outside their dir will be broken, and all absolute path links will be busted. If you installed other tools that use db generated with the adduser/useradd scripts, then any username db may "get out of sync by changing username. Cron jobs (username based) If you have filesharing setup with abolute paths (not relative or username resolvable like samba and netatalk's ~/ or $HOME, then consider changing those too. Any .htaccess files that ref specific users by name instead of "require valid-user" and unwisely use /etc passwd (most of th thime this is not wise) will ned to be changed. /var/spool/mail/username ? consider a mail alias and move for new name. Entries in /etc/groups should be global searched and reolaced to new uid. As you write, ensure /etc/shadow matches (vipw will likely ask you if you want to edit shadow after you edit passw if you made changes and are using shadow passwords.) You may want to consider ocating files owned by them or named with their usernamed before enacting changes to help this process: # find / -name \*USERNAME\* -print > /tmp/USERNAME.named.files.txt # find / -user USERNAME -print > /tmp/USERNAME.user.owned.files.txt # find / -group USERNAME -print > /tmp/USERNAME.group.owned.files.txt # cat /tmp/USERNAME.group.owned.files.txt | sort | uniq -u > \ /tmp/USERNAME.user.diff.group.files.txt I'm sure there are other places to check, and hope others will fill in any holes I have left in omission. So you can do this -I've done it several times: just be careful and checkback occasionally with user to make sure all is happy. :-) (Skip this last step if you are a BOFH.) (more below) Bill Kendrick said: > > Is there a way to change a user's login name under Unix? Yes. > Is it safe enough to simply rename their home directory and > edit their entry in /etc/passwd and /etc/shadow? Sometimes, but usually, no. > Or am I dealing with dangerous powers, and would be safe enough > creating a brand new user and deleting the old one? You are always dealing with dangerous powers (mr "has a special relationship with the video frame buffer") but you can manage "dangerous powers." ;-) -ME -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html Campus IT(/OS Security): Operating Systems Support Specialist Assistant ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
On Sunday 09 February 2003 01:44 pm, Jeff Newmiller wrote: > On Sun, 9 Feb 2003, Bill Kendrick wrote: > > Is there a way to change a user's login name under Unix? > > such a question... ;) > > > Is it safe enough to simply rename their home directory and > > edit their entry in /etc/passwd and /etc/shadow? > > Safe enough, because security is managed by UID through those files, but > maybe not quite complete enough. > > I would also make sure to rename their mail spool file, and do a > find /etc -type f | xargs grep oldusername > to find places like the sudo configuration files that might reference > their usernames. Other applications like "mysql" or "samba" might also > maintain parallel configurations for that username. aah, yes, excellent suggestions. shawn. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
On Sunday 09 February 2003 01:29 pm, Bill Kendrick wrote: > Is there a way to change a user's login name under Unix? > > Is it safe enough to simply rename their home directory and > edit their entry in /etc/passwd and /etc/shadow? > > Or am I dealing with dangerous powers, and would be safe enough > creating a brand new user and deleting the old one? this should not be a big deal. the numerical user id is what's important. if the UID doesn't change you won't have a problem. use vipw to change username in /etc/passwd and /etc/shadow. that alone would make the change--try it then ls the user's directory and you'll see the new username show up. the home directory need only change as a matter of convenience and consistency (i.e., users may expect their home directory to be /home/username). if the username is hard-coded in some configuration file someplace, you'll have to change it, too, of course, but this is unlikely. shawn. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
On Sun, 9 Feb 2003, Bill Kendrick wrote: > > Is there a way to change a user's login name under Unix? such a question... ;) > Is it safe enough to simply rename their home directory and > edit their entry in /etc/passwd and /etc/shadow? Safe enough, because security is managed by UID through those files, but maybe not quite complete enough. I would also make sure to rename their mail spool file, and do a find /etc -type f | xargs grep oldusername to find places like the sudo configuration files that might reference their usernames. Other applications like "mysql" or "samba" might also maintain parallel configurations for that username. > Or am I dealing with dangerous powers, and would be safe enough > creating a brand new user and deleting the old one? You would _still_ need to dig for references to their old username in your mail configuration files, etc. if you tried copying to a new username to restore all their old configurations, so I don't think that is necessarily any safer. --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] tinydns behind NAT firewall?
On Sunday 09 February 2003 11:37 am, Samuel Merritt wrote: > On Sun, Feb 09, 2003 at 11:24:51AM -0800, Shawn P. Neugebauer wrote: > > Well, I'm finally getting around to setting up my own DNS server/cache, > > and I've run into a problem. > > > > Is it generally possible to run tinydns behind a (dedicated) NAT firewall > > (a netgear RP114)? The problem is that the name server wants to run > > on an interface having the published name server IP address, but, of > > course, it's behind a firewall masquerading as that IP address (thus, > > the firewall is doing translation, so DNS queries could never make it to > > the right interface). > > Any decent NAT box will have a way to forward packets to internal > machines. You should be able to set up a rule that packets destined for > the NAT box's external interface, port 53, type UDP, get forwarded to > the DNS server. Yes, it does have such forwarding capabilities, and I use them in a variety of ways. The problem here isn't the forwarding--that's easy and works great--the problem is the forwarded packets get sent to the internal machine using the *internal* IP address--and tinydns wants to run on an interface having the *external* IP address (IP aliasing is not the answer here, at least not by itself). If this is at all possible, it has to involve some type of non-standard tinydns configuration, at least, and I'm hopeful that on the many tinydns users on the list will have a clue... :) shawn. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Can a username be changed?
Hi Bill, I've never had to change someone's login, but you might look into usermod(8). FL On Sun, 9 Feb 2003, Bill Kendrick wrote: > Is there a way to change a user's login name under Unix? > > Is it safe enough to simply rename their home directory and > edit their entry in /etc/passwd and /etc/shadow? > > Or am I dealing with dangerous powers, and would be safe enough > creating a brand new user and deleting the old one? ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
[vox-tech] Can a username be changed?
Is there a way to change a user's login name under Unix? Is it safe enough to simply rename their home directory and edit their entry in /etc/passwd and /etc/shadow? Or am I dealing with dangerous powers, and would be safe enough creating a brand new user and deleting the old one? -- [EMAIL PROTECTED]Was I useful? Rate this message! http://newbreedsoftware.com/bill http://svcs.affero.net/rm.php?r=billkendrick ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] tinydns behind NAT firewall?
On Sun, Feb 09, 2003 at 11:24:51AM -0800, Shawn P. Neugebauer wrote: > Well, I'm finally getting around to setting up my own DNS server/cache, > and I've run into a problem. > > Is it generally possible to run tinydns behind a (dedicated) NAT firewall > (a netgear RP114)? The problem is that the name server wants to run > on an interface having the published name server IP address, but, of > course, it's behind a firewall masquerading as that IP address (thus, > the firewall is doing translation, so DNS queries could never make it to > the right interface). Any decent NAT box will have a way to forward packets to internal machines. You should be able to set up a rule that packets destined for the NAT box's external interface, port 53, type UDP, get forwarded to the DNS server. If your Netgear RP114 lacks this capability, I suggest setting up a Linux-based NAT box. It'll give you more control over your network traffic than any Netgear/Linksys/whatever NAT box. > I've been digging through google searches, without finding anything obvious, > so I thought I would ask out loud here before I dig deep. > > shawn. -- Samuel Merritt OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org.asc Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/ msg04319/pgp0.pgp Description: PGP signature
[vox-tech] tinydns behind NAT firewall?
Well, I'm finally getting around to setting up my own DNS server/cache, and I've run into a problem. Is it generally possible to run tinydns behind a (dedicated) NAT firewall (a netgear RP114)? The problem is that the name server wants to run on an interface having the published name server IP address, but, of course, it's behind a firewall masquerading as that IP address (thus, the firewall is doing translation, so DNS queries could never make it to the right interface). I've been digging through google searches, without finding anything obvious, so I thought I would ask out loud here before I dig deep. shawn. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech