Re: User Accounts with no shell access

From: David Wright (david_c_wright_at_hotmail.com)
Date: 09/22/04 

Date: Wed, 22 Sep 2004 16:06:08 +0200

achilles wrote:

> I am maintaining a linux server, mainly used as a fileserver and
> mailserevr. With the exception of 3 users, users do not need any shell
> access.
>
> I set-up the users with /dev/false as the login shell and as for these
> users that need no shell access there appears to be no need for a home
> directory, I specified /dev/null. Each user has his own password (mainly
> for e-mail). For samba, each user that needs to connect to a share has his
> own smbpassword. Email is going to var/spool/mail and the users are able
> to collect their mail using this setup.
>
> I am not the only one maintaining the system. Today, some users who left
> the company got deleted. The person who deleted the users was using the
> yast2 graphical interface and clicked the 'remove home directory'
> checkbox, with the result of /dev/null being deleted, creating some
> problems. Also when trying to add a new user with the yast gui, yast
> complains about 'the home directory is used for another user' if /dev/null
> is specified.
>
> How do I achieve this in a foolproof way. Is there a simpler solution?
>
> Thanks
>
> Peter

Write the procedure for adding and deleting a user down in your "procedures"
manual, with a big note at the start not to use YaST for adding users on
the machine.

If you are not the only person administering a machine, there should always
be a procedures manual so that if "you were run over by a bus", the
department could continue to run smoothly.

The procedures manual should be the first thing a new recruit in the
department reads, and should always be referenced when doing a task (in
theory, even when something is written down, the old hands tend to ignore
it after a while...), on top of that, create a "check ***" which has a
check box for each step in the procedure which needs to be accomplished.
This allows you to keep a simple paper audit when adding or deleting users
and can be tallied to the add and delete user forms coming in from
department heads.

It isn't fool proof, but it certainly can reduce the headaches. It seems
like a PITA at first, but they really are useful and work.

Once you have written the procedure out by hand, you can then experiment
with writing a shell script to automate the process and put that in the
procedures as well at the start, leaving the manual process in there so
that it is clearly understood what the script does. Then if the script
stops working, users can fall back on the manual process and trace the
error...

Dave