[sudo-users] Re: restrict passwd command

Yocom, Ray ryocom at ci.yakima.wa.us
Tue Nov 22 14:19:40 EST 2005


I tend to agree on the $SUDO_USER var and I understand your script example
is indeed a rough example.  But make sure you include the full path in your
wrapper.  If I were up to no-good I might do something like:

set path ($home/bin $path)

then drop my own passwd command in my $home/path directory.

-Ray

-----Original Message-----
From: Mark F [mailto:mfaine at knology.net]
Sent: Tuesday, November 22, 2005 10:22 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Re: restrict passwd command


Russell Van Tassell wrote:
> On Tue, Nov 22, 2005 at 11:59:57AM -0600, Mark F wrote:
> 
>>Ladner, Eric (Eric.Ladner) wrote:
>>
>>>You might be better off just leaving the suid bit on the passwd command.
>>>
>>>I don't think the sudoers file macros and wildcarding can do that type
>>>of substitution.
>>
>>What about a wrapper script that uses $SUDO_USER ?
> 
> 
> Then you have to contend with users that do stuff like:
> 
> 	setenv SUDO_USER mfaine
> 	sudo passwd mfaine
> 
> ...or similar.
> 
> 
For some reason I thought sudo would ensure that whenever sudo was run 
it was run with the correct SUDO_USER environment variable with env_reset.

If I wrote a simple script like:
/bin/change_password
#!/bin/sh -
passwd $SUDO_USER

set the permissions to  700 (root:root)

Added:
Defaults env_reset
and
USERS          ALL=(ALL) /bin/change_password

The script would be run like

$ sudo /bin/change_password

How can the user change the SUDO_USER environment variable?

Not arguing your facts,  just saying I don't understand.



Thanks,
-Mark

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



More information about the sudo-users mailing list