restricting within command
Scott, Martin
Martin_Scott at compuware.com
Mon Mar 20 09:45:44 EST 2000
Julian,
I have used the following, I am not aware of any significant security holes
that this will introduce (if you find one, please let me know):
User_Alias USER_ADMINS=user-admin-user-name
# All accounts in this group **** MUST **** have an entry in the
NO_PASSWD_CMNDS Cmnd_Alias:
User_Alias UNIX_ADMINS=user-name
# An entry ****MUST**** be made here for each account in the User_Alias for
UNIX_ADMINS
Cmnd_Alias NO_PASSWD_CMNDS=/usr/bin/passwd root, /usr/bin/passwd
user-name
USER_ADMINS UNIX_HOSTS=USER_MAINT_CMNDS, !NO_PASSWD_CMNDS
My Unix's version of passwd will not prompt for a username, it will take the
name as a parameter or default to the username running the command.
Martin
-----Original Message-----
From: Matthew Hannigan
[mailto:Matthew.Hannigan at nl.abnamro.com]
Sent: Monday, March 20, 2000 5:04 AM
To: Julian.Rogan
Cc: sudo-users
Subject: Re: restricting within command
Julian,
I think the standard thing to do is to write a small
wrapper
which restricts the changes (by uid or group for instance).
Regards,
-Matt
Julian.Rogan at Unilever.com on 20/03/2000 10:44:00
To: sudo-users at courtesan.com
cc: (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject: restricting within command
Hi,
I plan on allowing our helpdesk to change users passwords
using sudo as
the
means of allowing this privilege.
However, as someone just pointed out to me, the helpdesk
will also be
able to
change root's password.
So is there anyway of tightening the privilege in this one
respect.
regards
Julian
More information about the sudo-users
mailing list