!passwd root revisited
mlh at zip.com.au
mlh at zip.com.au
Wed Dec 10 05:34:40 EST 2003
On Mon, 08 Dec 2003 12:13:04 -0800
Steve Magee <smagee at arb.ca.gov> wrote:
> >From the command line, the "!/usr/bin/passwd root" prohibits
> users in the %webadmin group to change root's password.
Not exactly. It merely does not enable the %webadmin
group to use the exact arguments "root" to the passwd
command.
> $ echo $password | sudo passwd --stdin $userid
This is not using the exact args "root" to the
passwd command, so it does not match your
sudoers entry.
IMnsHO, the ! syntax is a misfeature.
The sudoers man page warns about
bill ALL = ALL, !SU, !SHELLS
but the danger is more subtle than that.
Matt
More information about the sudo-users
mailing list