[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [sudo-users] How to disable ( deny ) user to change the password of root



Dear All,

For /usr/bin/upasswd :

#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
    echo "Use: upasswd <username>" >&2
    exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
    echo "Can't set the root user's password" >&2
    exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"

For visudo :
SYSADM  MH = (ALL)  /usr/bin/upasswd

Notice * without the option after "/usr/bin/upasswd"...

So, the test result is okay now :

[manager xxx bin]$ sudo upasswd
Use: upasswd <username>
[manager xxx bin]$ sudo upasswd root
Can't set the root user's password
[manager xxx bin]$ sudo upasswd edward
Changing password for user edward.
New UNIX password:

Many thanks for your help !

* This procedure is good for working on FC9...

Edward.

Russell Van Tassell wrote:
On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
  
[Preventing root passwd change using sudo]
      
In truth, Gordon Messmer's suggestion is probably more secure.  The only 
change I'd make would be to embed the sudo command in the script.  Something 
like.

[...]

The give sudo permissions something like:

SYSADM  MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
    

Just "devil's advocate," caveat emptor, buyer beware and all that jazz...

This still doesn't prevent people from doing things such as:

/usr/bin/sudo /usr/bin/sh /usr/bin/passwd

...or other similar "nasty" things (the list is quite huge).  This also
presumes, of course, that the "typical" sudoers file allows more than it
prevents/excludes.


  

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]