!passwd root revisited

mlh at zip.com.au mlh at zip.com.au
Wed Dec 10 05:34:40 EST 2003

On Mon, 08 Dec 2003 12:13:04 -0800
Steve Magee <smagee at arb.ca.gov> wrote:
> >From the command line, the "!/usr/bin/passwd root" prohibits
> users in the %webadmin group to change root's password.

Not exactly.  It merely does not enable the %webadmin
group to use the exact arguments "root" to the passwd

> $ echo $password | sudo passwd --stdin $userid

This is not using the exact args "root" to the
passwd command, so it does not match your
sudoers entry.

IMnsHO, the ! syntax is a misfeature.

The sudoers man page warns about 

   bill        ALL = ALL, !SU, !SHELLS

but the danger is more subtle than that.


More information about the sudo-users mailing list