creating virtual user accout?

creating virtual user accout?

Post by F. Heitka » Thu, 15 Nov 2001 21:46:35



I need to create a account for sendmail called smmsp.
I am assuming this is not like an account for a real
person that needs a home directory and a default shell.
How do I properly create such an account manually?
This a a user called smmsp and a group called smmsp.
The GID is supposed to be 25. Thanks!

Obviously I would not want to create security problems
in the process of setting up this account.

Fred

 
 
 

creating virtual user accout?

Post by S. Kru » Fri, 16 Nov 2001 03:21:42



> I need to create a account for sendmail called smmsp.
> I am assuming this is not like an account for a real
> person that needs a home directory and a default shell.
> How do I properly create such an account manually?
> This a a user called smmsp and a group called smmsp.
> The GID is supposed to be 25. Thanks!

> Obviously I would not want to create security problems
> in the process of setting up this account.

> Fred

You need to add a user to your passwd file. There needs to be a user
with a valid uid and gid.

On FreeBSD we add something like the following in the passwd file:

nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

Best thing to do is reading passwd(1), passwd(5) and group(5) in the man
pages. They'll give a hint how to add a user without creating a
security hole.

Bas
--
The only thing that we know is that we know nothing and that is the
highest flight of human wisdom.
                 -Leo Tolstoj

 
 
 

creating virtual user accout?

Post by Chuck Geigne » Fri, 16 Nov 2001 03:33:00



> I need to create a account for sendmail called smmsp.
> I am assuming this is not like an account for a real
> person that needs a home directory and a default shell.
> How do I properly create such an account manually?
> This a a user called smmsp and a group called smmsp.
> The GID is supposed to be 25. Thanks!

> Obviously I would not want to create security problems
> in the process of setting up this account.

> Fred

Hi Fred,
Creating the smmsp user is no different than creating any other user,
you just want to restrict access: no remote login rights, home
dir=/var/spool/clientmqueue, and since no login user will use smmsp, do
not set a passwd (treat as another system account like bin, daemon, lp,
et al).

You didn't say what 'nix you run but here's a couple of options

AIX-style "mkgroup/mkuser"
mkgroup id=25 smmsp
mkuser groups=smmsp home=/var/spool/clientmqueue login=false
shell=/bin/sh su=false smmsp

LINUX-style "groupadd/useradd"
groupadd -g 25 smmsp
useradd -g smmsp -d /var/spool/clientmqueue -n -s /bin/sh smmsp

--
Chuck Geigner ---------------------------------------
AIX Sysop
Milner Library, Illinois State Univ.
"Been borrowing Occam's Razor since 1992 -
Haven't cut myself yet."_____________________________

 
 
 

creating virtual user accout?

Post by F. Heitka » Sat, 17 Nov 2001 22:37:36





>Hi Fred,
>Creating the smmsp user is no different than creating any other user,
>you just want to restrict access: no remote login rights, home
>dir=/var/spool/clientmqueue, and since no login user will use smmsp, do
>not set a passwd (treat as another system account like bin, daemon, lp,
>et al).

Do I really need a "home" directory?  For some reason that bothers me.
I am going to try the /nonexistent first.
Quote:

>You didn't say what 'nix you run but here's a couple of options

I have Linux.  The main distro I use *used* to be slackware.
It is now sort of Debian like though I have compiled and installed
all the software without using .debs.  I do have RPM, apt, dselect
etc installed.

The problem with the user admin-type programs is that they seem
to be written with a real user in mind.  I have a UNIX admin
book and they call my subject user a "pseudo user".  Unfortunately
the book does not go into much details about this type of user
account, besides mentioning what it is used for, etc.

Quote:>AIX-style "mkgroup/mkuser"
>mkgroup id=25 smmsp
>mkuser groups=smmsp home=/var/spool/clientmqueue login=false
>shell=/bin/sh su=false smmsp

>LINUX-style "groupadd/useradd"
>groupadd -g 25 smmsp
>useradd -g smmsp -d /var/spool/clientmqueue -n -s /bin/sh smmsp

BTW this is a bit off-topic but the new sendmail has a mqueue and
a clientmqueue.  What is the difference and what is the "real"
mail queue?  I don't recall seeing a good distinction made in
the sendmail docs I've looked at so far.

Fred

 
 
 

creating virtual user accout?

Post by Chuck Geigne » Sun, 18 Nov 2001 05:37:00


I'll pretend like you did not e-mail a personal response directly to me
:p

Quote:

> Do I really need a "home" directory?  For some reason that bothers me.> I am going to try the /nonexistent first.

If the word "home" bothers you since their is no "person" to go with the
"home," then consider it smmsp's "default" dir. The difference is
semantic, but the reality is the user.group of /var/spool/clientmqueue
needs to be set to smmsp.smmsp. Why you would not set smmsp's homedir to
the -only- directory on the whole system that it has explicit rights to
is puzzling, but OK ~ I have no idea if that will work because I do not
know whether or not smmsp calls files relatively or absolutely (you
always hope it's the latter, but who knows...)

Quote:> I have Linux.  The main distro I use *used* to be slackware.
> It is now sort of Debian like though I have compiled and installed
> all the software without using .debs.  I do have RPM, apt, dselect
> etc installed.

> The problem with the user admin-type programs is that they seem
> to be written with a real user in mind.

No problem at all(?) You can create real and role accounts alike, just
depends on the attributes and permissions that you give. Look at it this
way: "nobody" has a user account with an unset (!) access password and a
home dir of /dev/null and a UID of -1. Given that, can I rmuser "nobody"
and then recreate the exact same role account? Sure I can. Does the fact
that I created "nobody" with mkuser make "nobody" a "real" user? Not at
all, real users have access passwords, positive UIDs, shells.

Quote:> BTW this is a bit off-topic but the new sendmail has a mqueue and
> a clientmqueue.  What is the difference and what is the "real"
> mail queue?  I don't recall seeing a good distinction made in
> the sendmail docs I've looked at so far.

read the documentation README/INSTALL files that come with the sendmail
source. The client mail queue and smmsp are explained better in those
docs than I can here, and all I would do is go read mine and come back
here to regurgitate it to you - better to see for yourself.

--
Chuck Geigner ---------------------------------------
AIX Sysop
Milner Library, Illinois State Univ.
"Been borrowing Occam's Razor since 1992 -
Haven't cut myself yet."_____________________________

 
 
 

creating virtual user accout?

Post by F. Heitka » Tue, 20 Nov 2001 09:43:43





>I'll pretend like you did not e-mail a personal response directly to me
>:p

>> Do I really need a "home" directory?  For some reason that bothers me.> I am going to try the /nonexistent first.

>If the word "home" bothers you since their is no "person" to go with the
>"home," then consider it smmsp's "default" dir. The difference is

I just don't like the idea of an account that doesn't have or need
a home directory having one.  But that's just me.

Anyway, the new sendmail setup seems to be working now.  I had a
couple problems that required getting the big sendmail book out
and poking around on sendmail.org.  These problems evidently
had nothing to do with the smmsp account business.  It was
set up well enought to make sendmail happy.

I stumbled upon the folder locking problem with running the
BSD mail program on Linux (O_EXLOCK IIRC), but I don't really
need the mail program now, so thats an issue for another day.

Quote:

>read the documentation README/INSTALL files that come with the sendmail
>source. The client mail queue and smmsp are explained better in those
>docs than I can here, and all I would do is go read mine and come back
>here to regurgitate it to you - better to see for yourself.

I have read them. Thanks.  Sometimes the folks that write this
programs are thinking between the lines (so to speak) and there
is not enough information for dummys like me.
 
 
 

1. user accout invalidation

Hi.
I want to invalidate user account in a program.

The first approach I thought is to modify /etc/passwd, /etc/shadow.
In this approach, how can I know where the real passwd string is?
/etc/passwd or /etc/shadow ??

But the first approach have a problem.
If NIS is running, the account on other machines cannot be invalidated.
How can I invalidate account on other machines??

Thanks in advanced.

2. cant use midnight commander with freebsd !!!

3. user user mailbox doesn't exist; how do I create?

4. Switching Color Depths and Resolutions in X

5. Sendmail help - alias works for install-created users, does not for new users.

6. FILESPACE TIDYING TOOL?????

7. How to create a pseudo user w/ su as user?

8. Commercial: $50.00 co-locations available

9. how do i create a virtual ipaddress using VCS

10. Alt-arrow keys to create Virtual terminals?

11. Create a virtual machine

12. Creating Virtual Links