SAVANNAHUSERS
Section: User Contributed Perl Documentation (1)
Updated: perl v5.6.1
Index
Return to Main Contents
NAME
savannahusers - manage shell accounts with savannah.gnu.org
SYNOPSIS
savannahusers [--help] [--verbose] [--fake]
[--firstuid=<number>] [--lastuid=<number>]
[--reuse] [--user=<login>]
[--allow-conflicts] [--www] [--ssh=<prog>] --file <file.xml>
DESCRIPTION
It is convenient to use Savannah (savannah.gnu.org) to manage accounts
on a machine that is completly unrelated to Savannah itself. For
instance, the project http://savannah.gnu.org/projects/fsffr/ lists
all the users who should have a shell account on the
france.fsfeurope.org machine.
A cron job on the target machine (france.fsfeurope.org in this case)
can fetch the list of users from Savannah and update the password
files accordingly. Adding a user to the machine can then simply be
done by adding the user as a developer of the project.
By default savannahusers only use a limited range of uid (61000 to
62000) to avoid interferences with existing users.
PRELIMINARY STEPS
You should do the following before using the savannahusers on the
xxx.gnu.org machine.
- create a Savannah project
-
You should first login savannah.gnu.org, register a new project named
gnuxxx. The only thing required is to explain the following in the
project description:
Manage accounts on xxx.gnu.org. Each member of the
project has an ssh account and can login with her
ssh protocol 1 public key. Automated.
- create a saccount user
-
The saccount user is needed in order to avoid using the environment
of the root user since it's potentialy hazardous for security.
useradd -m -p '*' -c 'Savannah Account Creation' -d /home/saccount saccount
- add saccount to sudoers
-
The only action this user needs to do with root permissions is to
run the savannahuser script. This can be done by adding a line
in the sudoer file.
saccount ALL=(root) NOPASSWD: /usr/bin/savannahusers
- send saccount ssh public of xxx.gnu.org
-
The ssh public key of root on xxx.gnu.org will needed to be registered
in the authorized_keys file of the xmlbase user on savannah.gnu.org.
ssh-keygen or ssh-keygen1
Do "not" set the passphrase. Only type return when asked for one.
Send it to savannah-hackers@gnu.org, saying that it's for the project
gnuxxx. Once it is added, you should be able to run:
rsync --rsh=ssh xmlbase@savannah.gnu.org: .
as saccount. This will download a file with account information for the
xxx.gnu.org machine, extracted from the member list of the
http://savannah.gnu.org/projects/gnuxxx/ project.
Once these steps are complete, you should be able to install and run
savannahusers properly. Before actually doing something, run it a few
times using --fake to make sure it does what you expect. When you're
satisfied install the cron job and forget about it.
OPTIONS
- --www
-
All user have access to www account. This account must already exists.
The ssh public keys of all the users known by savannahusers are inserted
in the authorized_key files of this account. All users will be able to
login as user www.
- --user=<login>
-
Run rsync as <login> user instead of root. The ssh protocol 1 key
of the <login> user will be used and should be known to Savannah.
- --reuse
-
Instead of fetching the account descriptions file with rsync, reuse
the file (see --file) that is in the temporary directory on the target
machine. When the program terminates the file is not deleted.
- --file=<file.xml>
-
The XML account information filename. This is the filename created
by the rsync --rsh=ssh xmlbase\@savannah.gnu.org: . command. The name
of the file is not decided by the target machine. When the program
terminates the file is deleted. It is placed in the temporary
directory.
- --ssh=<prog> (default ssh)
-
The name of the ssh program to use. For instance --ssh=ssh1.
- --allow-conflicts
-
Only send a warning if a login name conflict occurs. A name conflict
occurs when a login name is already in use with a uid outside the
range of uid managed by savannah users. The savannahusers script
assumes that this user was created independantly by someone with root
access on the target machine. As a consequence, savannahusers will
refuse to create it (or update it) even if the same login name was
registered in the Savannah project. The default behaviour is to abort,
with the --allow-conflicts a warning is sent, and the login name is ignored
by savannahusers.
- --firstuid=<number> (default 61000)
-
The low bound of the uid range managed by savannahusers.
- --lastuid=<number> (default 62000)
-
The high bound of the uid range managed by savannahusers.
- --fake
-
print actions and do nothing
- --help
-
print a short usage message.
- --verbose
-
print debugging messages on the stderr file descriptor.
CRON
Here is a sample cron job that can be stored in the file
/etc/cron.d/savannahusers:
MAILTO=system-hackers@gnu.org
#
# Update accounts from Savannah project fsffr
# http://savannah.gnu.org/projects/fsffr/
# http://savannah.gnu.org/savannah.html#Account%20Management
#
37 20 * * * saccount ( date ; sudo /usr/bin/savannahusers \
--file accounts-fsffr.xml --user saccount --www \
) >> /var/log/savannahusers.log 2>&1 < /dev/null
Before installing this cron job you should create the savannahusers.log
file and make sure it is owned by the saccount user.
touch /var/log/savannahusers.log
chown saccount /var/log/savannahusers.log
LOGROTATE
Here is a sample logrotate specification that can be stored in
the file /etc/logrotate.d/savannahusers:
/var/log/savannahusers.log {
rotate 30
weekly
compress
copytruncate
missingok
}
BUGS
Accented names are output in UTF-8. getpwent just discard them. Should
either be unaccented using Text-Unaccent.
AUTHOR
Loic Dachary (loic@gnu.org)
SEE ALSO
useradd(1).
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- PRELIMINARY STEPS
-
- OPTIONS
-
- CRON
-
- LOGROTATE
-
- BUGS
-
- AUTHOR
-
- SEE ALSO
-
This document was created by
man2html,
using the manual pages.
Time: 10:28:28 GMT, September 02, 2001