opening accounts from a non-root account ..

Thu Jun 13 05:30:27 AEST 1991

I want an administrative staff to open Sun accounts for me. She will
have to change passwords, change shells, change quotas, and other
account-related items.  I have created an account for her, call it
'admin.'  The admin user belongs to the group 'admin.' All yp related
stuff are modifiable by this user. I have created /etc/passwd file
with write permission to admin.

When I (as root) create accounts, I never work on the actual password
file; instead, I work on its copy using the -F option of passwd(1).
Then I check its contents using cops and other locally written
packages for any error, then copy it to the proper location in /var/yp
and run a make to update the NIS password map.

All of this works fine for root; but -F option of passwd(1) does not
work with non-root. So, I thought I might get around by generating
encrypted password in the first place.

Here begins my journey to the wonderous land of crypt(3), login(1),
DES, and a host of other programs. I realize crypt cannot generate
initial encrypted password because it doesn't have the right seed. Let
EPW be the encrypted password of the clear-text password, PW. Then,

	EPW = crypt(PW, EPW)

The second parameter of crypt is the seed: if the seed is same as EPW,
then the result of crypt is same EPW. This is what is presumably used
by login programs to validate a user.

But, my problem is to generate EPW without initial seed.

So I thought, may be, I will create a dummy user, and get the EPW by
using the passwd(1) program directly (change password of this dummy
user, awk/grep the password field of this user, and use it in the EPW
field of the new user's password. But this means that I will working
on the password file directly, and I don't like to do that.

Perhaps there is simpler way. Sure, use setuid shell script. Being a
security advocate, I just don't write such scripts and I am not going
to start now. But I am dying to relieve myself of the burden of
day-to-day account management. Perhaps someone would like to share
her/his recipe on this issue if they have found a way of doing this
neatly from a non-root account.

--

---
Binod Taterway                     |    lubkt at spectrum.CC.Lehigh.EDU
Sr. User Consultant                |    bt00 at lehigh.BITNET
Lehigh University Computing Center |    (215) 758-3984 (off)
Bethlehem, PA 18015                |    (215) 758-4983 (fax)