#!/bin/sh # $Id: clean_passwd,v 1.20 2000/06/26 14:43:00 chouanar Exp $ if [ -f /etc/yassp.conf ] ; then . /etc/yassp.conf fi umask 077 trap "" 2 3 TMP=/var/SECclean_tmp TMPUSERROOT=${TMP}/root.$$ TMPPASS=${TMP}/passwd.$$ TMPDPASS=${TMP}/dpasswd.$$ LOGFILE=/var/sadm/system/logs/yassp_cleanup_passwd.log # This should be configurable if [ "X${ROOTNAME}" = "X" ] ; then ROOTNAME="Root at `uname -n`" fi if [ "X${NOSHELL}" = "X" ] ; then NOSHELL="/usr/sbin/noshell" fi if [ ! -x ${NOSHELL} ] ; then NOSHELL="/dev/null" fi if [ "X${USERDENIED}" = "X" ] ; then USERDENIED='daemon bin sys adm lp smtp uucp nuucp listen nobody noaccess nobody4' fi if [ "X${ROOTALLOWED}" = "X" ] ; then ROOTALLOWED='root' fi echo "Cleaning the passwd file..." # rm -f ${TMPPASS} ${TMPDPASS} ${TMPUSERROOT} # BADROOT=`/bin/nawk -v rootallowed=${ROOTALLOWED} -f /opt/local/sbin/passwd.nawk /etc/passwd` BADUSERS="" for i in `echo ${USERDENIED}|sed 's/\|/ /g'` do grep "^$i:" /etc/passwd > /dev/null if [ $? -eq 0 ] ; then BADUSERS="${BADUSERS} ${i}" fi done DELUSERS="" if [ "X${USERSDELETED}" != "X" ] ; then for i in ${USERSDELETED} do if [ "${i}" != "root" ] ; then grep "^$i:" /etc/passwd > /dev/null if [ $? -eq 0 ] ; then DELUSERS="${DELUSERS} ${i}" fi else echo "I will not delete 'root' account!" fi done fi if [ $# -eq 0 ] ; then echo "I am ready to do the following changes:" fi echo " Disabling UID 0 account(s): " echo " ${BADROOT}" echo " Disabling system account(s): " echo " ${BADUSERS}" echo " Deleting account(s): " echo " ${DELUSERS}" if [ $? -eq 0 ] ; then echo "root identity will be changed to \"${ROOTNAME}\"" fi if [ $# -eq 0 ] ; then echo "do you want to continue [y|n]? [n] \c" read REPY if [ "${REPY}" != "Y" -a "${REPY}" != "y" ] ; then echo "Aborting password cleanup" exit 1 fi fi cp /etc/passwd /etc/passwd.Old cp /etc/shadow /etc/shadow.Old chmod 000 /etc/passwd.Old /etc/shadow.Old echo "password and shadow files saved under /etc/passwd.Old and /etc/shadow.Old" echo "*** cleanup_passwd: " `date` >> ${LOGFILE} echo " run by : \c" >> ${LOGFILE} who am i >> ${LOGFILE} echo "" >> ${LOGFILE} echo "" >> ${LOGFILE} for i in ${BADROOT} ${BADUSERS} do echo /usr/bin/passwd -r files -l $i >> ${LOGFILE} /usr/bin/passwd -r files -l $i 2>&1 | /usr/bin/tee -a ${LOGFILE} echo /usr/sbin/passmgmt -m -s ${NOSHELL} $i >> ${LOGFILE} /usr/sbin/passmgmt -m -s ${NOSHELL} $i 2>&1 | /usr/bin/tee -a ${LOGFILE} done if [ "X${DELUSERS}" != "X" ] ; then for i in ${DELUSERS} do echo /usr/sbin/passmgmt -d $i >> ${LOGFILE} /usr/sbin/passmgmt -d $i 2>&1 | /usr/bin/tee -a ${LOGFILE} done fi echo /usr/sbin/passmgmt -m -c \"${ROOTNAME}\" root >> ${LOGFILE} /usr/sbin/passmgmt -m -c \""${ROOTNAME}"\" root 2>&1 | /usr/bin/tee -a ${LOGFILE} echo "*** cleanup_passwd: " `date` " Done" >> ${LOGFILE} echo "" >> ${LOGFILE} echo "" >> ${LOGFILE} chmod 0644 /etc/passwd chgrp sys /etc/passwd chown root /etc/passwd exit 0