!passwd root revisited

Paul M. Lambert plambert at plambert.net
Wed Dec 10 03:00:23 EST 2003 

On Mon, 08 Dec 2003, Steve Magee wrote:

> Running sudo 1.6.6-3, RH 9
> 
> Applied the following to my /etc/sudoers file...
> 
> Cmnd_Alias      PASSWD   = /usr/bin/passwd, !/usr/bin/passwd root
> No "Defaults" used or implemented.
> %webadmin  WEBNET=NOPASSWD: PASSWD
> 
> >From the command line, the "!/usr/bin/passwd root" prohibits
> users in the %webadmin group to change root's password.
> 
> >From within a script or the command line in this contexts, it fails.
> 
> Logged in as myself and in the webadmin group, I issue the following...
> 
> $ password="yourallmine"
> $ userid="root"
> $ echo $password | sudo passwd --stdin $userid
> 
> Read just about every article and found nothing addressing the 
> issue of using variables in the line instead of literials.  
> 
> Is there a way to restrict the sudo passwd command to just groups?
> 
> Thanks in advance,
> Steve

Sudo only can do what you tell it to.

You have allowed any command starting with /usr/bin/passwd except for
'/usr/bin/passwd root'.

'/usr/bin/passwd --stdin foo' (for any foo) is not '/usr/bin/passwd
root' and starts with '/usr/bin/passwd' so you've allowed it in the
sudoers file.

sudo cannot know every option to every command and try to guess what you
mean.  instead, it can only do what you tell it.

if you don't trust your users to not try to work around sudo, your only
option is to never, ever, ever use the ! operator in the sudoers file,
because it implies that you know _every_ possible option besides the one
you're explicitly disallowing.  and you probably don't.  :-)

instead, write a script called 'sudopasswd' like so:

#!/usr/bin/perl -w
use strict;
sub usage {die "usage: sudo /usr/local/bin/sudopasswd username\n";}
my ($user) = shift || &usage;
&usage if (defined($ARGV[0]));
&usage if ($user !~ /^[a-z][a-z0-9]+$/i);
exec "/bin/passwd", $user;

__END__

(that's off the top of my head and very ugly, but should give the idea)

the point is, don't exclude the things you can think of, because others
can always think of more than you can.  specifically include exactly and
only what you want to allow.  this typically means writing wrapper
scripts.

if you want advice on wrapper scripts, just post short ones here (right?
is that okay with everyone else?) and folks'll be happy to critique
them.  it doesn't take long to get the hang of it!

--plambert

More information about the sudo-users mailing list