setup.sh changes 'admin' user's password

K

kai4785

New member
Joined
Feb 7, 2011
Messages
3
I have a custom installer for CentOS that I would like to add DirectAdmin to. It uses Kickstart to install the most recent version of CentOS, and then I use rc.local to download and run 'setup.sh' with pre-purchased licensing information.

Everything works great, except the 'admin' user's password is changed to something random, and then stored in a plain-text file on the disk in /usr/local/directadmin. I would like to prevent the DirectAdmin installer from modifying an existing password for the 'admin' user. It is not acceptable to log in with the root user to update the password after the installation is complete. I have a need to know what the 'admin' password is going to be after all software (including DirectAdmin) is installed in order to provide customer satisfaction. Right now, the best solution I can think of is to be able to set the password during the OS installation (via the kickstart), and install DirectAdmin with out changing the password. I would really rather not find some hack to wait for DirectAdmin to complete the install, and then change the 'admin' user's password back to what it was before the setup.sh script ran.
 
Yes, I am aware. I couldn't remember exactly which file it was at the time I wrote the initial post. Unfortunately just knowing that there is a file with the new password isn't good enough. I would like to avoid changing the password of the existing user 'admin' completely. I have already created the user to my satisfaction, and I don't need it changed.
 
One work around I can think of would be for you to run, before running setup.sh, to grep the admin line out of /etc/passwd, and save it, then after setup.sh is done, delete it and replace it with the one you saved. No restarting of anything should be necessary.

You can probably do this with a wrapper script around setup.sh.

Jeff
 
It becomes difficult when you do not have root access. That's the way it should be, otherwise you will be hacked in minutes.

You can not see /etc/shadow rather because only the root user can see it, otherwise I had a different solution for you
 
Hello,

If you know the admin password you'd like before the DA install, you can modify the setup.sh slightly before running it.

Find this bit:
Code: 
echo "hostname=$HOST"        >  $SETUP;
echo "email=$EMAIL"          >> $SETUP;
echo "mysql=$DB_ROOT_PASS"   >> $SETUP;
echo "mysqluser=$DB_USER"    >> $SETUP;
echo "adminname=$ADMIN_USER" >> $SETUP;
echo "adminpass=$ADMIN_PASS" >> $SETUP;
echo "ns1=$NS1"              >> $SETUP;
echo "ns2=$NS2"              >> $SETUP;
echo "ip=$IP"                >> $SETUP;
echo "netmask=$NM"           >> $SETUP;
echo "uid=$CID"              >> $SETUP;
echo "lid=$LID"              >> $SETUP;
echo "services=$SERVICES"    >> $SETUP;
and remove it from the setup.sh.

Before running the setup.sh, manually create:
/usr/local/directadmin/scripts/setup.txt

to match what the above code would have done.
This where you'd set the admin password.

DA checks to see if the admin account exists at install time.
If the account exists, DA does not try to create it again.
However, since there are other areas (email, mysql, ftp) that need to know the plain-text admin password, the value is going to be required at install time.

Once your setup.txt is created, and the setup.sh is modified, go ahead and run the setup.sh.

John
 
I know I'm being picky here. I would like to avoid storing the password of the admin user in plain-text on the system. So I think I've got a prioritized list of possible solutions, and I would like to have you help me decide which ones are possible.

1) Do not modify existing user 'admin' if the user already exists.
2) Allow a pre-hashed password in the setup.txt file, instead of a plain-text one. (ie: something that could be passed to "usermod -p")
3) Write a wrapper script for setup.sh like so:
Code: 
#!/bin/bash
awk -F: '/^admin:/{print $2}' /etc/shadow > /tmp/shadow
setup.sh ....
usermod -p `cat /tmp/shadow` admin

What do you think?
 
My understanding is that once DirectAdmin is installed you can delete the plain-text password. However I'd like to see a definitive response from John.

Jeff
 
Hello,

Correct, you can delete the setup.txt post-install.
FYI, it's also the only place the mysql "root" password is stored, so be sure to take note before deleting it (mysql=)

John
 
You must log in or register to reply here.
Back
Top