Restricting changing passwd

Matthew.Hannigan at nl.abnamro.com Matthew.Hannigan at nl.abnamro.com
Thu Aug 3 05:40:16 EDT 2000




Ray Yocom wrote in part:

> When you sudo /usr/bin/passwd the
> effective user is root thus changing the password for root.

Under sudo, the _real_ user is root too.

Su makes the _real_ user root too.

So the reason that passwd changes your password
or root's password when you expect it to change
the other is not due to a mismatch between real/effective
id's.  It's something else.

My _guess_ is that it looks at the owner of the
tty or some environmental variable.

Relying on a particular behaviour without
understanding this precise behaviour is
somewhat dangerous.

Anyway, all this is moot.  Allowing sudo access
to passwd is inheritantly danngerous.  As well
as restricting access to root, you want to restrict
passwd access to bin, sys, adm, lp and any other number
of accounts and future accounts including those
which listen to network requests such as httpd daemons.

( ... sound of dead horse beating ... )

Best thing is to write a wrapper which restricts
changing to a subset of users, say, all those
in group "user"

Regards,
     -Matt







ritesh at mos.com.np on 03/08/2000 10:45:59

To:   ryocom at ci.yakima.wa.us
cc:   sudo-users at courtesan.com (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject:  RE: Restricting changing passwd




Thanks for the input Ray. Using "!/usr/bin/passwd root" in the Cmd_alias
does prevent a user from changing the root passwd.
When user tries this: "sudo /usr/sbin/passwd" only it changes the passwd
for himself though I know "sudo" runs as root.

Actually I also got suspicious after I read your mail but tried it out to
confirm it.

Please see below:
------------------------------
ritesh at chulu: {4} % sudo /usr/bin/passwd
Changing local password for ritesh.
New password (128 significant characters):
------------------------------
ritesh at chulu: {5} % sudo /usr/bin/passwd root
Sorry, user ritesh is not allowed to execute "/usr/bin/passwd root" as
root on chulu.mos.com.np.
------------------------------

I shall try to go through the archive for a wrapper for my purpose.
Though it would have been great if you could have provided me with one.

Once again a BIG "thanks" for all you helpers out there !

Rgds,

\\Ritesh

  |  r i t e s h   r a j   j o s h i
  |  system administrator
  |  MERCANTILE COMMUNICATIONS PVT. LTD
  |  www.mos.com.np
  |  hotline:240920

On Tue, 1 Aug 2000, Yocom, Ray wrote:

> Are you sure you have disabled the password change for root.  Depending the
> flavor of UNIX,
> /usr/bin/passwd with no argument will use the "effective" user as opposed to
> the user logged in on your terminal.  When you sudo /usr/bin/passwd the
> effective user is root thus changing the password for root.  The only fix I
> know of in this case and the best fix for your other issue is to build a
> wrapper for the /usr/bin/passwd command.  Several nice examples have been
> provided in previous threads.  You could check against your "system" or
> "adm" group in /etc/group so that whenever you added a new admin to your
> system they would automatically be excluded from the sudo password change.
>
>
> -----Original Message-----
> From: Ritesh Raj Joshi [mailto:ritesh at mos.com.np]
> Sent: Tuesday, August 01, 2000 3:20 AM
> To: sudo-users at courtesan.com
> Subject: Restricting changing passwd
>
>
> HI all!
> I am using CU Sudo version 1.5.3 and trying to restrict users from
> changing passwd of other collegues.
> I have successfully done this for "root" with  !/usr/bin/passwd root .
> But how do I restrict for a list of users without having to repeat the
> above mentioned command for each and every user.
> Is there some kind of wildcards or aliasing that can be employed here.
> Thanks in advance ...
>
> Rgds,
>
> \\Ritesh
>
>   |  r i t e s h   r a j   j o s h i
>   |  system administrator
>   |  MERCANTILE COMMUNICATIONS PVT. LTD
>   |  www.mos.com.np
>   |  hotline:240920
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe, visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe, visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users
>

____________________________________________________________
sudo-users mailing list <sudo-users at courtesan.com>
For list information, options, or to unsubscribe, visit:
http://www.courtesan.com/mailman/listinfo/sudo-users







More information about the sudo-users mailing list