[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [sudo-users] How to disable ( deny ) user to change the password of root



On Wed, 19 Nov 2008 19:14:43 +0800, edwardspl ita org mo wrote:

> Michael Schwendt wrote:
> 
> >On Wed, 19 Nov 2008 12:52:30 +0800, edwardspl wrote:
> >
> >  
> >
> >>Dear All,
> >>
> >>For /usr/bin/upasswd :
> >>
> >>#!/bin/sh
> >>
> >># Validate that a username was given as an argument
> >>[ -n "$1" ] || {
> >>echo "Use: upasswd <username>" >&2
> >>exit 64
> >>}
> >>
> >># Validate that the username wasn't "root"
> >>[ "$1" != "root" ] || {
> >>echo "Can't set the root user's password" >&2
> >>exit 77
> >>}
> >>
> >># Use -- to make sure that the "username" given wasn't just
> >># a switch that passwd would interpret.
> >># THIS ONLY WORKS ON GNU SYSTEMS.
> >>passwd -- "$1"
> >>
> >>For visudo :
> >>SYSADM MH = (ALL) /usr/bin/upasswd
> >>    
> >>
> >
> >Even if you rely on sudo's default environment variables restrictions and
> >safety checks, prefer absolute paths when executing tools like
> >/usr/bin/passwd
> >  
> >
> Hello,
> 
> Sorry, I don't quite understanding what is your means...
> 
> Thanks !
> 
> Edward.

You've been on Fedora [or Red Hat Linux] related mailing-lists before, a
long time ago. It isn't news that you try to build a lot from tarballs
instead of using prebuilt/preconfigured rpms which are part of the
distribution. Asking questions is okay. Still you ought to show that
you're interested in trying to read the documentation that comes together
with the software you want to use. In this case "man sudo sudoers". These
manuals contain security related notes, which you really ought to read if
you want to give users sudo access.

What I mean with my comments on preferring absolute paths is that in the
wrapper-script /usr/bin/upasswd (the name you've chosen for it) you ought
to run "/usr/bin/passwd" at the bottom, not just "passwd". By running
"passwd" within PATH you rely on security features in sudo to prevent a
user from modifying $PATH and running an arbitrary program named "passwd"
with superuser privileges. That program could be anything, especially
since it is being passed with "$1" without any helpful safety-checks.
Even if you think that sudo does not make that possible (read about
SECURE_PATH and the env_* features I've mentioned), a change in the
configuration, in the defaults (or when using selfbuilt software) may open
the attack vector. Hence let the script run /usr/bin/passwd at the bottom,
which is exactly what you want.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]