User Accounts

Now that the basic setup is complete some user accounts can be added. Users will have very limited access to the system. Specifically they will be able to:

Other than that they should have no access to the server. This is accomplished in a fairly straightforward way. As an example I will add a new user. His name is Mark Spence and he is working with someone else on developing a page for the Associate Director of the program. This little shell script will add him as a user:

        REL_PATH=../../../../../usr/bin # Relative path from BASEDIR to programs to be linked in
        read -p "New Username: " NEW_USER
        cat /etc/passwd | sed -e "s/:.*//g" | grep $NEW_USER > /dev/null && echo "Username $NEW_USER already present in /etc/passwd" && exit 1
        [ -d $BASEDIR/$NEW_USER ] && echo "$BASEDIR/$NEW_USER already exists" && exit 1
        read -p "User's Full Name: " FULLNAME
        read -p "User's NT Id: " NT_ID
        useradd -g www -G cvsread -d "$BASEDIR/$NEW_USER" -s /bin/rbash -c "$FULLNAME" -M -n $NEW_USER
        smbadduser "$NEW_USER:$NT_ID"
        mkdir $BASEDIR/$NEW_USER
        cd $BASEDIR/$NEW_USER
        ln -s $REL_PATH/passwd
        ln -s $REL_PATH/smbpasswd
        ln -s $REL_PATH/cvs
        ln -s $REL_PATH/quota
        ln -s $REL_PATH/du
        echo "# .bash_profile" > .bash_profile
        echo "# $FULLNAME ($NEW_USER) added " $(date +"%A, %Y %B %d, %T (%-I:%M:%S %p)") >> .bash_profile
        echo export PATH=. >> .bash_profile
        mkdir www
        chown -R $NEW_USER:www .
        chmod -R a-w .
        chattr +i . .bash_profile

You might not have rbash set up on your system. If you don't, just create a symlink to bash named rbash. This is a restricted shell and the user is not allowed to change directories or set the environment variables SHELL, PATH, ENV, or BASH_ENV. Also they can't run commands with a / in them, so setting their path to . and not allowing them to own their home directory fairly effectively limits them to only running the programs symlinked into their home directory (passwd, smbpasswd and cvs).

Because the path is set to . the user cannot be allowed to write to her home directory, else she might put a new shell there and execute it. Also the directory and bash profile are set to immutable because even though they don't have access to the chmod command via a shell they can still change permissions via the windows filesharing. This box is intended only as a webserver and not for any other type of storage. There will be another computer running where they can have user accounts to learn on.

I am also imposing 150mb quotas on everyone which ought to be more than enough for most anything they would like to do.

        edquota mspence

And the input looks something like:

        Disk quotas for user mspence (uid 517):
          Filesystem                   blocks       soft       hard     inodes     soft     hard
          /dev/hdb4                        16     150000     150000          7        0        0

Conveniently enough this information is also available via the windows explorer properties if his home directory is mapped via smb.

This creates a basic account for him. To add a branch in the main webroot for them do:

        cvs -d /home/www/files/cvs checkout -l websites/
        mkdir rita_barnes
        cvs add rita_barnes/

This directory will not show up on the server immediately because the way that the repository is updated prunes empty directories. In order for this directory to be available for Mark to update it needs to be owned by his group:

        groupadd www-rita_barnes
        usermod -G $(id -G mspence | sed -e "s/ /,/g"),www-rita_barnes mspence
        chown :www-rita_barnes /home/www/files/cvs/websites/

Once I get a password to Mark Spence he should now be able to log in via ssh and make changes to that part of the repository. A simple session either from another Linux box or from cygwin might look like:

        export CVS_RSH=ssh
        cvs -d "" checkout websites/
        cd websites/
        echo "hi" > test.txt
        cvs add test.txt
        cvs commit -m "Testing adding a file" test.txt

This same basic process is available from any platform that has a cvs client and a ssh client.