[sudo-users] Preventing users from changing their local passwd using sudoers

Michael Potter pottmi at gmail.com
Thu Dec 13 21:06:26 EST 2007


sudo only controls commands that you prefix with sudo.

you could do a
sudo chmod go-rwx /usr/bin/passwd
to turn off everyone's ability to run passwd except for root.

Please respond back if that helped.
Michael Potter

On Dec 13, 2007 10:08 AM,  <christian.peper at kpn.com> wrote:
> Hi everyone,
> I'm trying to force the users on my (NIS) system to use yppasswd instead
> of passwd.
> But you could also use this with strong generated passwords that you
> don't want your users to change.
> So I checked 'which passwd' and added lines at the bottom of sudoers.
> Easy as pie, right... :( Then what am I missing...?
> [nisuser at myhost ~]$ id
> uid=508(nisuser) gid=100(users) groups=100(users)
> [nisuser at myhost ~]$ which passwd
> /usr/bin/passwd
> [nisuser at myhost ~]$ sudo -l
> User nisuser may run the following commands on this host:
>     (ALL) NOPASSWD: /bin/mount -o loop /media/cdrom
>     (ALL) NOPASSWD: /bin/umount /media/cdrom
>     (ALL) !/usr/bin/passwd
>     (ALL) !/usr/bin/passwd [a-z]*
>     (ALL) /usr/bin/yppasswd
>     (ALL) !/usr/bin/yppasswd [a-z]*
> [nisuser at myhost ~]$ /usr/bin/passwd
> Changing password for user nisuser.
> Changing password for nisuser
> (current) UNIX password:
> [nisuser at myhost ~]$ /usr/bin/passwd cpeper
> passwd: Only root can specify a user name.
> [nisuser at myhost ~]$
> Any insight much appreciated!
> Chris.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list