User Management Automation : Bash Script Guide

augusthottie

augusthottie

Posted on July 1, 2024

User Management Automation : Bash Script Guide

Trying to manage user accounts in a Linux environment can be a stressful, time-consuming and error-prone process, especially in a large organization with many users. Automating this process not only makes things easy, efficient and time-saving, but also ensures consistency and accuracy. In this article, we'll look at a Bash script designed to automate user creation, group assignment and password management. This script reads from a file containing user information, creates users and groups as specified, sets up home directories with appropriate permissions, generates random passwords and logs all actions.

Script Overview

Here's a breakdown of the bash script used to automate the user management process:

#!/bin/bash

# Constants for the script
SECURE_FOLDER="/var/secure"  # The path to the secure folder where user information will be stored
LOG_FILE="/var/log/user_management.log"  # The path to the log file for recording script execution
PASSWORD_FILE="/var/secure/user_passwords.csv"  # The path to the file where user passwords will be stored

log_message() {
    # Function to log a message with a timestamp to the log file
    # Arguments:
    #   $1: The message to be logged
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a $LOG_FILE
}

# Function to generate a random password
generate_password() {
    tr -dc 'A-Za-z0-9!@#$%^&*()-_' < /dev/urandom | head -c 16
}

if [ ! -d "$SECURE_FOLDER" ]; then
    # Check if the secure folder exists, if not, create it
    mkdir -p $SECURE_FOLDER
    log_message "Secure folder created."
fi

# Check for command-line argument
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <path_to_user_file>"
    exit 1
fi

USER_FILE="$1"

# Check if file exists
if [ ! -f "$USER_FILE" ]; then
    echo "File not found: $USER_FILE"
    exit 1
fi

# Create the log file and password file if they do not exist
touch $LOG_FILE
touch $PASSWORD_FILE

# Set the permissions on the password file to be read/write only by the user executing the script
chmod 600 $PASSWORD_FILE

# Write the header to the password file if it is empty
if [ ! -s $PASSWORD_FILE ]; then
    echo "Username,Password" > $PASSWORD_FILE
fi

# Add new line to USER_FILE to avoid error in while loop
echo "" >> $USER_FILE

# read one by one, there is no seperator so it will read line by line
while read -r line; do
    # Trim whitespace, and seperate them via ;
    username=$(echo "$line" | xargs | cut -d';' -f1)
    groups=$(echo "$line" | xargs | cut -d';' -f2)

    # Skip empty lines
    if [ -z "$username" ]; then
        continue
    fi

    # Create user group (personal group)
    if ! getent group "$username" > /dev/null; then
        groupadd "$username"
        log_message "Group '$username' created."
    else
        log_message "Group '$username' already exists."
    fi

    # Create user if not exists
    if ! id -u "$username" > /dev/null 2>&1; then
        useradd -m -g "$username" -s /bin/bash "$username"
        log_message "User '$username' created with home directory."

        # Generate and set password
        password=$(generate_password)
        echo "$username:$password" | chpasswd
        echo "$username,$password" >> $PASSWORD_FILE
        log_message "Password set for user '$username'."

        # Set permissions for home directory
        chmod 700 "/home/$username"
        chown "$username:$username" "/home/$username"
        log_message "Home directory permissions set for user '$username'."
    else
        log_message "User '$username' already exists."
    fi

    # Add user to additional groups
    IFS=',' read -ra group_array <<< "$groups"
        for group in "${group_array[@]}"; do
            group=$(echo "$group" | xargs) # Trim whitespace
            if [ -n "$group" ]; then
                if ! getent group "$group" > /dev/null; then
                    groupadd "$group"
                    log_message "Group '$group' created."
                fi
                usermod -aG "$group" "$username"
                log_message "User '$username' added to group '$group'."
            fi
    done
done < "$USER_FILE"
Enter fullscreen mode Exit fullscreen mode

Script Breakdown

Let's break down the key components of this script and understand how they work together to automate user management.

  • Setting up directories and files The script begins by defining the locations of the secure folder, log file and password file:
SECURE_FOLDER="/var/secure"
LOG_FILE="/var/log/user_management.log"
PASSWORD_FILE="/var/secure/user_passwords.csv"
Enter fullscreen mode Exit fullscreen mode

A function, log_message(), is used to log messages with a timestamp:

log_message() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a $LOG_FILE
}
Enter fullscreen mode Exit fullscreen mode

The script checks if the secure folder exists and creates it if it doesn't:

if [ ! -d "$SECURE_FOLDER" ]; then
    mkdir -p $SECURE_FOLDER
    log_message "Secure folder created."
fi
Enter fullscreen mode Exit fullscreen mode
  • Validating Input

The script expects a single argument: the path to the user file. It checks if the argument is provided and if the file exists:

if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <path_to_user_file>"
    exit 1
fi

USER_FILE="$1"

if [ ! -f "$USER_FILE" ]; then
    echo "File not found: $USER_FILE"
    exit 1
fi
Enter fullscreen mode Exit fullscreen mode
  • Preparing Log and Password Files

The script creates and secures the log and password files:

touch $LOG_FILE
touch $PASSWORD_FILE
chmod 600 $PASSWORD_FILE

if [ ! -s $PASSWORD_FILE ]; then
    echo "Username,Password" > $PASSWORD_FILE
fi
Enter fullscreen mode Exit fullscreen mode
  • Processing the User File

The main part of the script reads the user file line by line, processes each user, and performs the following steps:

  • Read Username and Groups: It reads the username and groups from each line, trimming any whitespace:
while IFS=';' read -r username groups; do
    username=$(echo $username | xargs)
    groups=$(echo $groups | xargs)

    if [ -z "$username" ]; then
        continue
    fi
Enter fullscreen mode Exit fullscreen mode
  • Create User Group: If the user's personal group does not exist, it creates the group:
if ! getent group "$username" > /dev/null; then
    groupadd "$username"
    log_message "Group '$username' created."
else
    log_message "Group '$username' already exists."
fi
Enter fullscreen mode Exit fullscreen mode
  • Create User: If the user does not exist, it creates the user with a home directory and assigns the personal group. It also generates a random password, sets it for the user, and secures the home directory:
if ! id -u "$username" > /dev/null 2>&1; then
    useradd -m -g "$username" -s /bin/bash "$username"
    log_message "User '$username' created with home directory."

    password=$(tr -dc 'A-Za-z0-9!@#$%^&*()-_' < /dev/urandom | head -c 16)
    echo "$username:$password" | chpasswd
    echo "$username,$password" >> $PASSWORD_FILE
    log_message "Password set for user '$username'."

    chmod 700 "/home/$username"
    chown "$username:$username" "/home/$username"
    log_message "Home directory permissions set for user '$username'."
else
    log_message "User '$username' already exists."
fi
Enter fullscreen mode Exit fullscreen mode
  • Assign Groups: The script reads the additional groups for the user and assigns them, creating any missing groups:
IFS=',' read -ra group_array <<< "$groups"
for group in "${group_array[@]}"; do
    group=$(echo $group | xargs)
    if ! getent group "$group" > /dev/null; then
        groupadd "$group"
        log_message "Group '$group' created."
    fi
    usermod -aG "$group" "$username"
    log_message "User '$username' added to group '$group'."
done
Enter fullscreen mode Exit fullscreen mode
  • Finalize: The script ensures the password file is secure:
chmod 600 $PASSWORD_FILE
Enter fullscreen mode Exit fullscreen mode

The code above only allows the authorized user (executor) to read the contents of the password csv file.

Conclusion

This script provides a robust solution for managing user accounts in a Linux environment. By automating user creation, group assignment, and password management, it ensures consistency and saves valuable time for system administrators. The use of logging and secure password storage further enhances the reliability and security of the user management process.

For more information about automation and system administration, check out the HNG Internship program at HNG Internship. The program offers a wealth of resources and opportunities for aspiring DevOps engineers. Additionally, you can explore hiring opportunities at HNG Hire and premium services at HNG Premium.

By implementing such automation scripts, you can streamline your operations, reduce errors, and improve overall system security and efficiency.

💖 💪 🙅 🚩
augusthottie
augusthottie

Posted on July 1, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related