Section: User Contributed Perl Documentation (1)
Updated: perl v5.6.1
Return to Main Contents
savannahusers - manage shell accounts with savannah.gnu.org
savannahusers [--help] [--verbose] [--fake]
[--allow-conflicts] [--www] [--ssh=<prog>] --file <file.xml>
It is convenient to use Savannah (savannah.gnu.org) to manage accounts
on a machine that is completly unrelated to Savannah itself. For
instance, the project http://savannah.gnu.org/projects/fsffr/ lists
all the users who should have a shell account on the
A cron job on the target machine (france.fsfeurope.org in this case)
can fetch the list of users from Savannah and update the password
files accordingly. Adding a user to the machine can then simply be
done by adding the user as a developer of the project.
By default savannahusers only use a limited range of uid (61000 to
62000) to avoid interferences with existing users.
You should do the following before using the savannahusers on the
- create a Savannah project
You should first login savannah.gnu.org, register a new project named
gnuxxx. The only thing required is to explain the following in the
Manage accounts on xxx.gnu.org. Each member of the
project has an ssh account and can login with her
ssh protocol 1 public key. Automated.
- create a saccount user
The saccount user is needed in order to avoid using the environment
of the root user since it's potentialy hazardous for security.
useradd -m -p '*' -c 'Savannah Account Creation' -d /home/saccount saccount
- add saccount to sudoers
The only action this user needs to do with root permissions is to
run the savannahuser script. This can be done by adding a line
in the sudoer file.
saccount ALL=(root) NOPASSWD: /usr/bin/savannahusers
- send saccount ssh public of xxx.gnu.org
The ssh public key of root on xxx.gnu.org will needed to be registered
in the authorized_keys file of the xmlbase user on savannah.gnu.org.
ssh-keygen or ssh-keygen1
Do "not" set the passphrase. Only type return when asked for one.
Send it to firstname.lastname@example.org, saying that it's for the project
gnuxxx. Once it is added, you should be able to run:
rsync --rsh=ssh email@example.com: .
as saccount. This will download a file with account information for the
xxx.gnu.org machine, extracted from the member list of the
Once these steps are complete, you should be able to install and run
savannahusers properly. Before actually doing something, run it a few
times using --fake to make sure it does what you expect. When you're
satisfied install the cron job and forget about it.
All user have access to www account. This account must already exists.
The ssh public keys of all the users known by savannahusers are inserted
in the authorized_key files of this account. All users will be able to
login as user www.
Run rsync as <login> user instead of root. The ssh protocol 1 key
of the <login> user will be used and should be known to Savannah.
Instead of fetching the account descriptions file with rsync, reuse
the file (see --file) that is in the temporary directory on the target
machine. When the program terminates the file is not deleted.
The XML account information filename. This is the filename created
by the rsync --rsh=ssh xmlbase\@savannah.gnu.org: . command. The name
of the file is not decided by the target machine. When the program
terminates the file is deleted. It is placed in the temporary
- --ssh=<prog> (default ssh)
The name of the ssh program to use. For instance --ssh=ssh1.
Only send a warning if a login name conflict occurs. A name conflict
occurs when a login name is already in use with a uid outside the
range of uid managed by savannah users. The savannahusers script
assumes that this user was created independantly by someone with root
access on the target machine. As a consequence, savannahusers will
refuse to create it (or update it) even if the same login name was
registered in the Savannah project. The default behaviour is to abort,
with the --allow-conflicts a warning is sent, and the login name is ignored
- --firstuid=<number> (default 61000)
The low bound of the uid range managed by savannahusers.
- --lastuid=<number> (default 62000)
The high bound of the uid range managed by savannahusers.
print actions and do nothing
print a short usage message.
print debugging messages on the stderr file descriptor.
Here is a sample cron job that can be stored in the file
# Update accounts from Savannah project fsffr
37 20 * * * saccount ( date ; sudo /usr/bin/savannahusers \
--file accounts-fsffr.xml --user saccount --www \
) >> /var/log/savannahusers.log 2>&1 < /dev/null
Before installing this cron job you should create the savannahusers.log
file and make sure it is owned by the saccount user.
chown saccount /var/log/savannahusers.log
Here is a sample logrotate specification that can be stored in
the file /etc/logrotate.d/savannahusers:
Accented names are output in UTF-8. getpwent just discard them. Should
either be unaccented using Text-Unaccent.
Loic Dachary (firstname.lastname@example.org)
- PRELIMINARY STEPS
- SEE ALSO
This document was created by
using the manual pages.
Updated: $Date: 2006/04/22 13:07:11 $