Locking specific account without using passwd

musicmancanora · September 8, 2008, 10:59pm

Hey guys just wondering how i could lock a specific acount by prepending LK
to the password field in the /etc/shadow file.

it cannot be done through a command since the script gets called by a menu driven interface so i cant use "passwd". Is there a way where i can search for a specific account then maybe write to the file which the field needs LK?

Its a bash script by the way
thanks

Ikon · September 8, 2008, 11:05pm

Just use:

Lock account:
passwd -l {username}

Unlock:
passwd -u {username}

The string *LK* will appear in the password field for locked accounts in /etc/shadow

musicmancanora · September 8, 2008, 11:16pm

Yehhh but is there a way that i can do it without using passwd -l {username}

like if i can code something to directly modify the shoadow file without using the passwd command

maybe write to the shadow file

Ikon · September 8, 2008, 11:39pm

Ok, I have to ask, why would you want to do it anyother way.

If you dont have permissions to passwd you wont to /etc/shadow or /etc/passwd

musicmancanora · September 8, 2008, 11:43pm

For the project we are doing where not aloud to use any commands like passwd we have to modify the shadow directly they just love making things hard for us

Im testing it on my own machine as root

methyl · September 9, 2008, 8:05am

On most unixes with a shadow file you'll need to run "pwconv" immediately after a manual edit.
See "man pwconv" an check against your local circumstances.

musicmancanora · September 15, 2008, 1:01am

So is there a way to actually write to the shadow file and prepend LK to the file so you can lock it
without using the commands.

musicmancanora · September 15, 2008, 2:05am

i found AWK is there a way i can use that to ask for input to search for the account then append LK to lock it delimeted by :

Ikon · September 15, 2008, 2:03pm

If this is a "Project" as you state, this forum is not to be used for School Projects.

avronius · September 15, 2008, 2:16pm

Understand the contents of the shadow file:

man shadow
username:password:lastchg:min:max:warn:inactive:expire:flag
/etc/shadow  entries should appear in exactly the same order as  /etc/passwd  entries;

If you prepend *LK* to the beginning of a line in /etc/shadow, you will break things.
If you append *LK* to the end of the line, you may get unexpected results.

<soapbox>
Manually mangling /etc/shadow is problematic for the following reason:
If you corrupt the root entry, you will not be able to perform administrative tasks on the server, and will need to reboot from alternate media to repair.

There is a reason that we have commands like passwd. They are to ensure the integrity of the system as a whole. If you wish to bypass these safeties, you risk the entire environment.</soapbox>

musicmancanora · October 1, 2008, 11:24am

yehhh its going to be on a test machine so if it breaks it breaks but im trying to append LK

to the correct field in the shadow field. How could i do that?

methyl · October 1, 2008, 11:51am

Copy the shadow file.
Create an account.
Lock that account with "passwd -l".
Compare shadow file with the copy (man diff).
Post the output from "diff" for the awk experts to see.