[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [sudo-users] How to disable ( deny ) user to change the password of root



edwardspl ita org mo wrote:
BUT there is another problem of it ( I think it is a bug of sudo ).....

When you enter "sudo passwd" without the option (eg:userid):

[manager xxx ~]$ sudo passwd
Changing password for user root.
New UNIX password:

That's not a bug. "sudo" doesn't know what you're trying to do, only whether or not your commands match the patterns in its configuration files. They do, so sudo allows the access.

OH...the user manager who can change root password ?

So, is there any solution for this case of problem ?

Yes, there is. Don't let users execute any of those commands directly. Write shell scripts that validate the commands that you want them to execute, and only allow users to execute those with sudo. For example:

passwd-wrapper:
#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
	echo "Use: passwd-wrapper <username>" >&2
	exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
	echo "Can't set the root user's password" >&2
	exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]