[sudo-users] Preventing users from changing their local passwd using sudoers

christian.peper at kpn.com christian.peper at kpn.com
Thu Dec 13 11:08:46 EST 2007

Hi everyone,

I'm trying to force the users on my (NIS) system to use yppasswd instead
of passwd.
But you could also use this with strong generated passwords that you
don't want your users to change.

So I checked 'which passwd' and added lines at the bottom of sudoers.
Easy as pie, right... :( Then what am I missing...?

[nisuser at myhost ~]$ id
uid=508(nisuser) gid=100(users) groups=100(users)
[nisuser at myhost ~]$ which passwd
[nisuser at myhost ~]$ sudo -l
User nisuser may run the following commands on this host:
    (ALL) NOPASSWD: /bin/mount -o loop /media/cdrom
    (ALL) NOPASSWD: /bin/umount /media/cdrom
    (ALL) !/usr/bin/passwd
    (ALL) !/usr/bin/passwd [a-z]*
    (ALL) /usr/bin/yppasswd
    (ALL) !/usr/bin/yppasswd [a-z]*
[nisuser at myhost ~]$ /usr/bin/passwd
Changing password for user nisuser.
Changing password for nisuser
(current) UNIX password:

[nisuser at myhost ~]$ /usr/bin/passwd cpeper
passwd: Only root can specify a user name.
[nisuser at myhost ~]$

Any insight much appreciated!

More information about the sudo-users mailing list