ezri/sysadmin-exercise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
sysadmin-exercise/user-report/README.md

2.4 KiB
Raw Permalink Blame History

Report Users with UID >= 1000

I decided to take a more complex approach with this task than would be necessary on a "standard" Linux installation to make the script more robust. It still has some tweaks that would need to be made on a University domain-joined computer (namely, checking the lastlog command and only printing users who have actually logged in, depending on the purpose of the report, since otherwise it would include all accounts, as LDAP user providers usually handle authorization independently of user enumeration and authentication). However, for smaller lists of centralized users, or for a system that makes heavy use of ephemeral users managed by systemd, this script will work.

I did this mainly because I use centralized authentication on my personal computers, so I wanted to make sure I didn't provide a script that wouldn't even function on my own computers. It is, admittedly, less valuable to parse getent passwd enumeration when working with a large number of users in the central auth server.

However, what I see as the main purpose of a report like this -- getting a list of people who can log into a server -- would be better accomplished on a system with LDAP authentication by checking the LDAP settings on said server and doing a manual LDAP search based on those settings. That way, you wouldn't have to filter out all the users that are not allowed to log in (and will be blocked at the authorization stage by the PAM account LDAP module) but can still be resolved.

As for some design decisions I made...

I use awk to do the filtering, rather than a shell if statement, because I'm already using it to format the output. The cut command would work for extracting the fields, but can't format the output in one go like awk can. In an older version of the script, I do loop through the lines with a shell for loop and filter them with if, but I was still formatting it with awk.

I ended up with a one-liner after simplifying the script from a for loop. Ultimately, because awk operates on lines rather than whole input, I decided that it would make more sense to send it the entire output of getent rather than one line at a time.

I also filter out the nobody user as it exists on every Linux system and would likely not have relevance to the person asking for this report. However, if it is still desired to be included, re-adding it to the report would be trivial; simply remove the grep command from the pipe.