How to I do this .

Matthew.Hannigan at nl.abnamro.com Matthew.Hannigan at nl.abnamro.com
Tue Apr 4 07:36:22 EDT 2000




Kamala,
     This is was discussed recently on this list.

I think the conclusion is that you should write a wrapper
script which invokes passwd only if the uid is greater than,
say, 100.

You certainly don't want to allow anybody to change password
for user bin, lp, sys,adm and many other administrative type accounts.

Even this may not be safe enough.

Another possibility for this wrapper is that it only allows password
changes for certain groups of users.

Another enhancement is to force the expiry of the new password
immediately so the the user must change it again on next login.


-Matt





kamala at rsa.ericsson.se on 04/04/2000 00:30:11

To:   sudo-users at courtesan.com
cc:    (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject:  How to I do this .



Hi ,

I want to give the group lsagrp the  same rights as root on both servers
and clients ,with the
exception  that they  cannot  change the root passwd  as sudo .: .. but
have no clue how to
define this in /etc/ sudoers . Any body has any tips ?or some other work
around  ?



LSAGRP    ALL = (ALL)  ALL , ! (Dont know what to write here :( so that
this group cannot change  Root password)

Thanks for any tips

kamala








More information about the sudo-users mailing list