!passwd root revisited
Aaron Spangler
aaron at spangler.ods.org
Wed Dec 10 21:12:03 EST 2003
Your shell is doing the variable substitution, so sudo sees
'passwd --stdin root'
> $ password="yourallmine"
> $ userid="root"
> $ echo $password | sudo passwd --stdin $userid
but it is not denied since you mentioned nothing about the '--stdin' option.
Cmnd_Alias PASSWD = /usr/bin/passwd, !/usr/bin/passwd root
Remember with sudo that it is never good about restricting exactly what they
can't do because someone will always find a workaround. It would be better
for your to write a shell script that only allows changing one password and
then allowing sudo to only allow that shell script. You should never allow
someone access to the passwd command unless you are okay with them changing
the root password.
I hope this info helps.
-Aaron
More information about the sudo-users
mailing list