Sorry that I have to quote so much of what you posted, but I think I need to make all this context clear. On 23/08/17 11:23 AM, Paul Groves wrote:
Now the problem lies in having to train all of these staff exactly which commands to type in. Especially every year when there are several hundred to do. (it is a school). The chance for human error is very high and it causes a lot of work correcting everything. So to save these problems, I have been asked to make a PHP based web console for the technicians to perform routine tasks such as this. Therefore eliminating the human factor.
This server is already running apache for our internal portal. So I have made another virtualhost for the console. This virtualhost only allows connections from the IT department IP addresses (same as our sshd_config).
Also the virtualhost uses a non standard port that has been opened in the firewall only for the IT department IP addresses. (Same as port 22 is configured for ssh).
The virtualhost also required the user to log in and only allows users in the sudo group on this server (therefore only the 4 IT administrators).
So now I have a php site that only the IT staff from the computers in the IT department can access.
I have written a script for each of the required tasks. One example is creating users.
So basically the goal is to have the IT admin log into the console on their browser. Go the the add user page. Check everything is correct for the new user(s) then clicks 'create' which then executes the add user script like so:
sudo php /srv/script/addusers.php users_array
where the users argument is a multi-dimensional array containing username, Full name, groups, home directory path etc... for each user to be created.
Here lies the problem. The script will only work using sudo (because of useradd or chown, chmod and other commands which cannot be run as the www user).
You are solving the wrong problem. The problem-about-the-doing lies in the way you have stated a solution. The solution is the last thing. "Why code? That's the last thing I will do!" yes, even after building your test framework! I suspect its a pernicious influence of the GUI model that comes with Windows, be it the Microsoft way of looking at things, or even Apple or YaST. The killer is in the step and repeat. Which a GUI forces on you. What you want to end up with is a extended /etc/passwrd (or equivalent) file with all those fields, username, Full name, groups, home directory path etc..., all there. So why not build that file and 'cat' it to the end ... oh, right, you need to create the home directories and put the templates in places, yamma, yamma, and 'adduser' does that[1]. So what I did back in those antediluvian ages was to build that file and submit it to a script that read each line, did verification on the contents for blatant stuff like out of band characters (cf "little Jimmy Fields"), clashes, and more, then ran useradd with that parameter list. Anything the checks rejected was, of course, logged. I later decided that a two-pass approach was better. Scan everything and reject the whole file unless it was internally consistent, did not clash with anything already configured and passed a series of security checks. I should mention that there are situations where GUIs are nice; dealing with email, browsing the web, full screen editing so you can see all you are writing (especially in word-processor mode!) and more -- it's wonderful. But when you are doing step-and-repeat, a GUI is a PIG! It is so totally the wrong way to do things that I can't comprehend what sort of mind wants to punish people by compelling them to do this tedious step-and-repeat. What do they think this is? Some sort of 15th century workhouse, they days before any automation? As far as I'm concerned the computer is there to serve me, and this sort of step and repeat approach is making the the user serve the computer. Thank you Microsoft and others for brainwashing so many people to think that such tedium is the norm. [1] IIR SUN found a way around that, which, wouldn't you know it, involved PAM. See the man page for 'pam_mount' to start with. IIR the home directory was created. on the server at the first login. I forget the mechanism. See also mechanism for 'mount on demand'. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org