[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [sudo-users] How to disable ( deny ) user to change the password of root



Michael Schwendt wrote:
On Wed, 19 Nov 2008 17:17:40 +0800, edwardspl ita org mo wrote:
Michael Schwendt wrote:
n Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote:
asswd-wrapper:
#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
	echo "Use: passwd-wrapper <username>" >&2
	exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
	echo "Can't set the root user's password" >&2
	exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"
Don't let users run this via sudo unless you execute tools with
absolute path --> /usr/bin/passwd
      
Hello,

Do you means there is some problem / security with this shell scripts ?
    
It depends on your sudo/sudoers configuration. You can read more about it
in the manuals. Look out for setenv, env_, SECURE_PATH (and related
settings).
  
Just the following rules :
SYSADM  MH = (ALL)    /usr/bin/passwd-wrapper
<>BUT, only some of special user who can running some of cmd via sudo...
eg: System Admin ( manager ) and Support Term...

<>It's general advise not to open an attack vector via $PATH when trying to
impose restrictions on what those special users may run. Today your sudo
configuration may not permit that, but you wouldn't be the first one to
switch from sudo to setuid or to alter your sudo config in harmful ways.
I think the system admin config the sudo only for some special user ( eg: system support term ) for the Server Maintance...
So, NOT many user he/she can running with sudo, right ?

Thanks !

Edward.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]