2

I want to temporarily modify /etc/passwd and/or /etc/group to "remove" a user/group without deleting the line.

Is there a way to do that?

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1161913 seems to indicate it may not be supported (but may also be HPUX-specific).

warren
  • 18,369
  • 23
  • 84
  • 135

4 Answers4

3

to temporarily lock a user's account you can do passwd -l username which simply adds a '!' to the beginning of the password hash in /etc/shadow, preserving the user's password, and preventing them from being able to log in with any password.

cpbills
  • 2,720
  • 18
  • 12
  • is there an analog for `/etc/group`? – warren Jul 20 '10 at 17:45
  • you can use `addgroup user group` and `delgroup user group` – cpbills Jul 21 '10 at 19:30
  • I don't want to delete the group permanently, nor make all the changes to group memberships post-re-enabling – warren Jul 28 '10 at 01:41
  • why does it matter which groups they belong to, while their account is locked? there is not an option for 'locking' a user from a group, there's no data to retain, so it's just a matter of removing them from the group or adding them to the group. or leaving them be, because without being able to log in, it doesn't matter what their group membership is. – cpbills Jul 28 '10 at 16:26
  • @cpbills - I'm looking for a way to temporarily disable a group as well, and doing a full delete would remove all the memberships, requiring them to be recreated when the group is re-enabled (or, in this case, recreated), would it not? – warren Aug 03 '10 at 20:48
  • `delgroup username groupname` simply removes a user from the group. it does not delete the group or remove other users from the group. – cpbills Aug 04 '10 at 14:41
  • @cpbills - I need the group to be missing temporarily, though :-\ – warren Aug 14 '10 at 17:10
  • well, you could temporarily change the group's gid... that would prevent members of the group from accessing files owned by that gid... – cpbills Aug 18 '10 at 22:20
2

If you are just disabling the account you could change their shell to /sbin/nologin. For example, in /etc/passwd:

username:x:500:500:Firstname Lastname:/home/username:/sbin/nologin
runlevelsix
  • 2,619
  • 22
  • 20
1

From everything I have tried, there seems to be no way of doing what I am describing, so I'm going to mark this answer as the accepted one.

The only way to 'temporarily' disable a group is to cp /etc/groups <path/to/backup>, make the change in /etc/groups, and revert the change later if/when needed.

warren
  • 18,369
  • 23
  • 84
  • 135
0

Make a backup of /etc/passwd

cp /etc/passwd /etc/passwd.bak

Delete the user from the original, the backup will still have the user.

Make a script that deletes /etc/passwd and renames /etc/passwd.bak to /etc/passwd.

Set up the script in cron to do it automatically whenever you want it to run.

mistiry
  • 276
  • 3
  • 11
  • that's what I'm currently doing. I'm looking for a way of doing this *without* backing-up the file and making a destructive change – warren Jul 20 '10 at 15:22