2 ################################################################################
4 # File: restrict_passwd
5 # Description: This script will convert /etc/passwd to a "restricted" passwd
6 # file. There is a list of "special" users such as system users
7 # like anon, ftp, etc as well as some administrative engineers.
8 # These users have their passwd entries passed through
9 # unmodified. All other users get either a restricted shell
10 # (sorry just rksh) and are homed to /home/vumover (this was
11 # done for the purposes of migrating views to the new view
12 # servers and may be changed at some time in the future).
14 # If -mailmode is specified then the only change to the original
15 # passwd line is that shell is set to /bin/false. This is to
16 # prevent user logins to the mail server.
18 # Note that all su users are conciously not written to the new
19 # passwd file unless they appear in the special users list.
21 # Finally, users from MLL are skipped.
23 # Author: Andrew DeFaria, California Language Labs
24 # Created: Fri Oct 17 09:06:46 PDT 1997
26 # Language: Korn Shell
28 # (c) Copyright 2001, Andrew@DeFaria.com, all rights reserved
30 ################################################################################
34 print -u2 "$me: Error: $1"
42 if [ ! -z "$VERBOSE" ]; then
48 if [ ! -z "$DEBUG" ]; then
54 info "$me [-v] [-d] [-m] [-o file] [-u]"
55 info " -v: Turns on verbose mode"
56 info " -d: Turns on debug mode"
57 info " -m: Generate passwd file for mail server"
58 info " -o file: Specify file to place output into"
59 info " -u: Print this usage message"
61 info "$me reads password entries from stdin and writes a restricted version"
62 info "of the password entry to stdout. Some users are special and are"
63 info "unaltered. Root (su) users are skipped and not written out."
70 while getopts ":dmo:vu" options; do
97 shift $(($OPTIND - 1))
101 while read user pass uid gid geos home shell; do
120 verbose "****> User $user is \"special\""
121 print "$user:$pass:$uid:$gid:$geos:$home:$shell"
125 # In mail mode change shell to /bin/false. Otherwise use a restricted
126 # shell and also set the home directory to /home/vumover.
127 if [ ! -z "$mailmode" ]; then
134 # Change MoA marking to Restricted
135 geos="$(print "$geos" | sed 's/_MoA_/_Restricted_/')"
137 # Allow no other uid 0 users other than those listed above
138 if [ $uid -eq 0 ]; then
139 verbose "****> User $user is in uid 0 - skipping..."
143 # Skip users from MLL
144 print $home | grep "\.ch\.apollo" > /dev/null 2>&1
145 if [ $? -eq 0 ]; then
146 verbose "****> User $user is from Apollo - skipping..."
150 print "$user:$pass:$uid:$gid:$geos:$home:$shell"
153 done < /etc/passwd > /tmp/passwd.$$
155 if [ "_$outfile" = "_" ]; then
156 mv /etc/passwd /etc/passwd.old
157 mv /tmp/passwd.$$ /etc/passwd
158 chmod 444 /etc/passwd
160 mv /tmp/passwd.$$ $outfile