restricting within command
Brent
n9bc at netnet.net
Fri May 19 10:04:58 EDT 2000
What I have used to get around this problem is this
#!/usr/bin/perl
use strict;
my $user = shift || die "\nusage: $0 username\n\n";
my(@check,$name,$answer);
die "\nwhat's up, chief? I don't like the username you gave me.\n\n" unless ($user
=~ m/^[a-z0-9\-\+\_]+$/);
# place any usernames here that should be protected
@check = qw(root bin daemon adm lp sync shutdown halt uucp operator slist
majordomo named quota7 backup nobody);
foreach $name (@check)
{
die "\nSorry, you can't change the password for $user.\n\n"
if($user eq $name);
}
my ($gcos) = (getpwnam $user)[6] || die "\n Username $user does not appear to
exist!\n\n";
print "\nDo you want to change the password for $user [$gcos]? [yn]";
chomp($answer = <>);
$answer =~ /^[Yy]/ or die "\nThanks for playing...\n\n";
print "\n";
system("/usr/bin/passwd",$user);
Then i added this the sudoers file.
User_Alias SUPPORT = joetech
Cmnd_Alias CHPASS=/usr/local/sbin/changepass
S
UPPORT ALL = CHPASS
Hope that helps.
Brent
Matthew.Hannigan at nl.abnamro.com wrote:
> This rule is not restrictive enough
> for good security!
>
> See
>
> http://www.courtesan.com/pipermail/sudo-users/2000-April/000133.html
>
> There is a philosophical problem underlying this.
>
> You are allowing anything you don't explicitly deny.
>
> You should be denying anything you don't explicitly allow.
>
> Regards,
> -Matt
>
> bjuda at lucent.com on 17/05/2000 22:18:06
>
> To: sudo-users at courtesan.com
> cc: (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
> Subject: Re: restricting within command
>
> "julian.rogan" wrote:
> >
> > I plan on allowing our helpdesk to change users passwords using sudo as the
> > means of allowing this privilege.
> > However, as someone just pointed out to me, the helpdesk will also be able to
> > change root's password.
> > So is there anyway of tightening the privilege in this one respect.
>
> I have the command listed as follows in /etc/sudoers:
>
> /bin/passwd [a-z]*,!/bin/passwd root,.........
>
> The NOT (!) construction applies the exception needed.
>
> - Burt
>
> _______________________________________________
> sudo-users mailing list
> sudo-users at courtesan.com
> http://www.courtesan.com/mailman/listinfo/sudo-users
>
> _______________________________________________
> sudo-users mailing list
> sudo-users at courtesan.com
> http://www.courtesan.com/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list