restricting within command

Brent n9bc at netnet.net
Fri May 19 10:04:58 EDT 2000 

What I have used to get around this problem is this

#!/usr/bin/perl

use strict;

my $user = shift || die "\nusage: $0 username\n\n";

my(@check,$name,$answer);

die "\nwhat's up, chief? I don't like the username you gave me.\n\n" unless ($user
=~ m/^[a-z0-9\-\+\_]+$/);

# place any usernames here that should be protected

@check = qw(root bin daemon adm lp sync shutdown halt uucp operator slist
majordomo named quota7 backup nobody);

foreach $name (@check)
{
        die "\nSorry, you can't change the password for $user.\n\n"
                 if($user eq $name);
}

my ($gcos) = (getpwnam $user)[6] || die "\n Username $user does not appear to
exist!\n\n";

print "\nDo you want to change the password for $user [$gcos]? [yn]";
chomp($answer = <>);
$answer =~ /^[Yy]/ or die "\nThanks for playing...\n\n";

print "\n";

system("/usr/bin/passwd",$user);



Then i added this the sudoers file.
User_Alias      SUPPORT = joetech

Cmnd_Alias  CHPASS=/usr/local/sbin/changepass
S
UPPORT ALL = CHPASS


Hope that helps.

Brent




Matthew.Hannigan at nl.abnamro.com wrote:

> This rule is not restrictive enough
> for good security!
>
> See
>
> http://www.courtesan.com/pipermail/sudo-users/2000-April/000133.html
>
> There is a philosophical problem underlying this.
>
> You are allowing anything you don't explicitly deny.
>
> You should be denying anything you don't explicitly allow.
>
> Regards,
>      -Matt
>
> bjuda at lucent.com on 17/05/2000 22:18:06
>
> To:   sudo-users at courtesan.com
> cc:    (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
> Subject:  Re: restricting within command
>
> "julian.rogan" wrote:
> >
> > I plan on allowing our helpdesk to change users passwords using sudo as the
> > means of allowing this privilege.
> > However, as someone just pointed out to me, the helpdesk will also be able to
> > change root's password.
> > So is there anyway of tightening the privilege in this one respect.
>
> I have the command listed as follows in /etc/sudoers:
>
>      /bin/passwd [a-z]*,!/bin/passwd root,.........
>
> The NOT (!) construction applies the exception needed.
>
>    - Burt
>
> _______________________________________________
> sudo-users mailing list
> sudo-users at courtesan.com
> http://www.courtesan.com/mailman/listinfo/sudo-users
>
> _______________________________________________
> sudo-users mailing list
> sudo-users at courtesan.com
> http://www.courtesan.com/mailman/listinfo/sudo-users

More information about the sudo-users mailing list