I am using a customized Redmine installation to manage projects. I have managed to hook the addition of new users and send the login information to a bash script I have. Below is my script:
#!/bin/sh
UNAME=$1
UPASS=$2
wall "$UNAME $UPASS"
useradd "$UNAME"
echo "$UPASS" | passwd "$UNAME" --stdin
usermod -g restricted "$UNAME"
Echo is a bash builtin so it will not show up in the process table when it shoots the password in. The problem is that I get a permission complaint from Redmine:
/opt/rms/redmine/new-user: line 5: /usr/sbin/useradd: Permission denied
Only root can do that.
/opt/rms/redmine/new-user: line 7: /usr/sbin/usermod: Permission denied
This obviously indicates that I need root permission or another method of doing this. So I attempted to set the UID bit with permissions 4755 on the file so it runs as root, and I get the same error as above. Any idea what is going on here?
My general situation is I aim to add new users to the project management system automatically as linux users, and then when they are added to a certain group I plan to hook it so that they get extended permissions that lets them access a Mercurial repository via SSH – so user management is handled completely via the front end.
Best Answer
Due to the limited information, I am not going to theorize in detail as to the potential security implications of your architecture. However, I would be especially cautious about granting the ability to add users to a non-root user.
With that said, I would discourage the use of the SUID bit for that purpose. If nothing else, because it introduces additional exposure to every user on the system. Meaning, every user could potentially add users.
As an alternative, you could configure sudo to allow the non-root user to run usermod. For example, run
visudoand add this line:redmineuser ALL=NOPASSWD: /usr/sbin/usermod