!passwd root revisited

Aaron Spangler aaron at spangler.ods.org
Wed Dec 10 21:12:03 EST 2003

Your shell is doing the variable substitution, so sudo sees
 'passwd --stdin root'

> $ password="yourallmine"
> $ userid="root"
> $ echo $password | sudo passwd --stdin $userid

but it is not denied since you mentioned nothing about the '--stdin' option.
Cmnd_Alias      PASSWD   = /usr/bin/passwd, !/usr/bin/passwd root

Remember with sudo that it is never good about restricting exactly what they 
can't do because someone will always find a workaround.  It would be better 
for your to write a shell script that only allows changing one password and 
then allowing sudo to only allow that shell script.  You should never allow 
someone access to the passwd command unless you are okay with them changing 
the root password.

I hope this info helps.


More information about the sudo-users mailing list