creating a new user on secureplatform via CLI
The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here.
fix /etc/profile permissions
Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod.
[Expert@chkpfw1]# chmod 644 /etc/profile
add user group to ssh AllowGroups
I am being old fashioned, and using the legacy Unix wheel group
[Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config
creating the user account
1) create user account with the standard linux useradd command...
[Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith
2) set the user password
[Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
*** note *** the full path is required in the above command because Check Point aliases passwd to...
alias passwd='/bin/expert_passwd'
If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account
Example of the incorrect way to reset a user password from the root (Expert) account:
[Expert@chkpfw]# passwd jsmith Enter new expert password: <<< if you see this prompt you messed up!
3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure.
Example /etc/passwd lines
before editing
john:x:1002:1002::/home/admin:/bin/bash
what is should look like after editing
john:x:0:0::/home/admin:/bin/cpshell
4) test your login with ssh. after a successful login, execute the "expert" command to gain root.