In recent times where organizations and companies hold secrets of the biggest magnitude e.g. proprietary secrets, trademark secrets e.t.c. and store them on the main company network (server), adding employees to that network or server has to be done with high accuracy and precision by assigning the employee to the appropriate groups according to his/her job title in order to protect this secret of the company and to make sure no one has access to such information except certain people like, the C.E.O, C.T.O, C.M.O. e.t.c.

Today, we're going to look into such phenomenon taking Linux (Ubuntu distro) as our case study environment.

How are we going to implement this you may ask?

Well, we're going to create a bash script that takes the path to a .txt file as our input file which contains the names of employees and the groups you wish to place them in.

For example

alice; developers, foodies
bob; testers; admins

This .txt file contains lines in the format of user;groups delimited by a comma"

Before going into the code, we must first know and understand what we want our code to do explicitly

• Read users in format user; groups
• Create users and groups as specified
• setup home directories with appropriate permissions and ownership
• generate random passwords for the users
• store the generated passwords securely in /var/secure/user_passwords.txt
• log all actions to /var/log/user_management.log Note: handle error scenarios like existing users

Preparatory steps

• Create a file named create_users.sh in your home directory on linux

touch create_users.sh

• Open this file with nano editor to add your code

nano create_users.sh

Now let's follow through with how we want our script to run.

Step 1

Define the following paths in which you want to save your logs and users password

LOG_FILE="/var/log/user_management.log"
PASSWORD_FILE="/var/secure/user_passwords.txt"

Step 2

Ensure the directory exists and has the appropriate permissions

if [ ! -d "/var/secure" ]; then
    mkdir -p /var/secure
    chmod 700 /var/secure
fi

Step 3

Ensure the log file and password file exist and are writable

touch $LOG_FILE $PASSWORD_FILE
chmod 600 $PASSWORD_FILE
chmod 644 $LOG_FILE

Step 4

Add the function to log all user actions and include a timestamp to each respective action

log(){
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> $LOG_FILE
}

Step 5

Check if the script is run as root

if [ "$EUID" -ne 0 ]; then
    log "Script must be run as root."
    echo "Please run as root."
    exit 1
fi

Step 6

Check if the input file is provided and readable

if [ ! -f "$1" ]; then
    log "Input file not provided or does not exist."
    echo "Usage: $0 <input_file>"
    exit 1
fi

Step 7

Add the function to generate user passwords

generate_password(){
    < /dev/urandom tr -dc 'A-Za-z0-9!@#$%^&*()_+' | head -c 8
}

Step 8

Read the input file line by line

while IFS=';' read -r user groups;
do
    user=$(echo "$user" | xargs) # Trim whitespace
    groups=$(echo "$groups" | xargs) # Trim whitespace

    if id "$user" &>/dev/null; then
        log "User $user already exists."
        echo "User $user already exists. Skipping."
        continue
    fi

Add the following codes to the while do block

Step 9

Create groups if they do not exist and collect them in a list

    IFS=',' read -ra group_list <<< "$groups"
    group_string=""
    for group in "${group_list[@]}"; do
        group=$(echo "$group" | xargs)  # Trim whitespace
        if ! getent group "$group" &>/dev/null; then
            groupadd "$group"
            log "Group $group created."
        else
            log "Group $group already exists."
        fi
        group_string+="$group,"
    done
    group_string=${group_string%,} # Remove trailing comma

Step 10

Create user and assign to groups

    useradd -m -G "$group_string" "$user"
    if [ $? -eq 0 ]; then
        log "User $user created and added to groups $groups"
    else
        log "Failed to create user $user."
        echo "Failed to create user $user. Check log for details."
        continue
    fi

Step 11

Generate and assign a password

    password=$(generate_password)
    echo "$user:$password" | chpasswd
    if [ $? -eq 0 ]; then
        log "Password set for user $user."
    else
        log "Failed to set password for user $user."
        echo "Failed to set password for user $user. Check logs for details."
        continue
    fi

Step 12

Store the password securely

    echo "$user:$password" >> $PASSWORD_FILE
    log "Password for user $user stored securely."

Step 13

Set ownership and permissions for home directory

    chown "$user:$user" "/home/$user"
    chmod 700 "/home/$user"
    log "Home directory for user $user set up with appropriate permissions."

Last Step

Close the while do block and log the end

done < "$1"

log "Users - groups creation process completed."
echo "User creation process completed. Check $LOG_FILE for details."

With this code you can be sure to add your respective employees to the appropriate Groups and add permissions, in order for your organization top secret information doesn't get into the wrong hands 😊.

Thanks for following me through with this article.

A big shout out to HNG, HNG Internship, HNG Hiring for inspiring this article.

Reach out to me on Linkedin or X(Twitter) if you want to have a nice chat about anything and I mean absolutely anything.