SAVANNAHUSERS

Section: User Contributed Perl Documentation (1)
Updated: perl v5.6.1
Index
Return to Main Contents
 

NAME

savannahusers - manage shell accounts with savannah.gnu.org  

SYNOPSIS

    savannahusers [--help] [--verbose] [--fake]
          [--firstuid=<number>] [--lastuid=<number>]
          [--reuse] [--user=<login>]
          [--allow-conflicts] [--www] [--ssh=<prog>] --file <file.xml>
 

DESCRIPTION

It is convenient to use Savannah (savannah.gnu.org) to manage accounts on a machine that is completly unrelated to Savannah itself. For instance, the project http://savannah.gnu.org/projects/fsffr/ lists all the users who should have a shell account on the france.fsfeurope.org machine.

A cron job on the target machine (france.fsfeurope.org in this case) can fetch the list of users from Savannah and update the password files accordingly. Adding a user to the machine can then simply be done by adding the user as a developer of the project.

By default savannahusers only use a limited range of uid (61000 to 62000) to avoid interferences with existing users.  

PRELIMINARY STEPS

You should do the following before using the savannahusers on the xxx.gnu.org machine.
create a Savannah project
You should first login savannah.gnu.org, register a new project named gnuxxx. The only thing required is to explain the following in the project description: 

    Manage accounts on xxx.gnu.org.  Each member of the
    project has an ssh account and can login with her
    ssh protocol 1 public key. Automated.

create a saccount user
The saccount user is needed in order to avoid using the environment of the root user since it's potentialy hazardous for security. 

  useradd -m -p '*' -c 'Savannah Account Creation' -d /home/saccount saccount

add saccount to sudoers
The only action this user needs to do with root permissions is to run the savannahuser script. This can be done by adding a line in the sudoer file. 

  saccount      ALL=(root) NOPASSWD:  /usr/bin/savannahusers

send saccount ssh public of xxx.gnu.org
The ssh public key of root on xxx.gnu.org will needed to be registered in the authorized_keys file of the xmlbase user on savannah.gnu.org. 

  ssh-keygen or ssh-keygen1
Do "not" set the passphrase. Only type return when asked for one.

Send it to savannah-hackers@gnu.org, saying that it's for the project gnuxxx. Once it is added, you should be able to run: 

   rsync --rsh=ssh xmlbase@savannah.gnu.org: .
as saccount. This will download a file with account information for the xxx.gnu.org machine, extracted from the member list of the http://savannah.gnu.org/projects/gnuxxx/ project.

Once these steps are complete, you should be able to install and run savannahusers properly. Before actually doing something, run it a few times using --fake to make sure it does what you expect. When you're satisfied install the cron job and forget about it.  

OPTIONS


--www
All user have access to www account. This account must already exists. The ssh public keys of all the users known by savannahusers are inserted in the authorized_key files of this account. All users will be able to login as user www.
--user=<login>
Run rsync as <login> user instead of root. The ssh protocol 1 key of the <login> user will be used and should be known to Savannah.
--reuse
Instead of fetching the account descriptions file with rsync, reuse the file (see --file) that is in the temporary directory on the target machine. When the program terminates the file is not deleted.
--file=<file.xml>
The XML account information filename. This is the filename created by the rsync --rsh=ssh xmlbase\@savannah.gnu.org: . command. The name of the file is not decided by the target machine. When the program terminates the file is deleted. It is placed in the temporary directory.
--ssh=<prog> (default ssh)
The name of the ssh program to use. For instance --ssh=ssh1.
--allow-conflicts
Only send a warning if a login name conflict occurs. A name conflict occurs when a login name is already in use with a uid outside the range of uid managed by savannah users. The savannahusers script assumes that this user was created independantly by someone with root access on the target machine. As a consequence, savannahusers will refuse to create it (or update it) even if the same login name was registered in the Savannah project. The default behaviour is to abort, with the --allow-conflicts a warning is sent, and the login name is ignored by savannahusers.
--firstuid=<number> (default 61000)
The low bound of the uid range managed by savannahusers.
--lastuid=<number> (default 62000)
The high bound of the uid range managed by savannahusers.
--fake
print actions and do nothing
--help
print a short usage message.
--verbose
print debugging messages on the stderr file descriptor.
 

CRON

Here is a sample cron job that can be stored in the file /etc/cron.d/savannahusers: 

  MAILTO=system-hackers@gnu.org
  #
  # Update accounts from Savannah project fsffr
  # http://savannah.gnu.org/projects/fsffr/
  # http://savannah.gnu.org/savannah.html#Account%20Management
  #
  37 20 * * *     saccount    ( date ; sudo /usr/bin/savannahusers \
          --file accounts-fsffr.xml --user saccount --www \
          ) >> /var/log/savannahusers.log 2>&1 < /dev/null
Before installing this cron job you should create the savannahusers.log file and make sure it is owned by the saccount user. 

  touch /var/log/savannahusers.log
  chown saccount /var/log/savannahusers.log
 

LOGROTATE

Here is a sample logrotate specification that can be stored in the file /etc/logrotate.d/savannahusers: 

  /var/log/savannahusers.log {
    rotate 30
    weekly
    compress
    copytruncate
    missingok
  }
 

BUGS

Accented names are output in UTF-8. getpwent just discard them. Should either be unaccented using Text-Unaccent.  

AUTHOR

Loic Dachary (loic@gnu.org)  

SEE ALSO

useradd(1).
 

Index

NAME
SYNOPSIS
DESCRIPTION
PRELIMINARY STEPS
OPTIONS
CRON
LOGROTATE
BUGS
AUTHOR
SEE ALSO
This document was created by man2html, using the manual pages.
Updated: $Date: 2006/04/22 13:07:11 $