[sudo-users] [Fwd: How to disable ( deny ) user to change the password of root]

Russell Van Tassell russell+sudo-users at loosenut.com
Mon Nov 17 04:53:44 EST 2008

Edward -

The format should basically be the same... the "HPPA" piece is an
example pertaining to the Host_Alias piece of the configuration.

[BTW, copying the fedora users list on these sudo-related threads
probably isn't winning you any friends over there... not that I'm sub'd
to that list, though]

However, in my own opinion, this is just one of many instances where
you're really better with a wrapper script or good monitoring/alerting
(and is good case for a secure log host so-as to maintain log integrity).
(So perhaps this IS a decent fedora/un*x discussion)

If you are securing down "passwd," I trust you have already gone through
the pain and trouble of limiting commands fairly strictly across your
ENTIRE network?  Put bluntly, there are *many* ways to circumvent
typical system password mechanisms for the determined intruder; here you
are only really protecting against someone that's either made an error
or is going to be nice enough to "give up" after "passwd root" fails...

Your best bet is a solution other than simply trying to patch shell
holes in your O/S... something such as decent OTP (One Time Password)
solution, for example.

On Mon, Nov 17, 2008 at 05:25:00PM +0800, edwardspl at ita.org.mo wrote:
> Dear All,
> Just previewed the sudo manual :
> http://www.sudo.ws/sudo/man/sudoers.html
> pete           HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
> The user pete is allowed to change anyone's password except for root on
> the HPPA machines. Note that this assumes passwd(1) does not take
> multiple usernames on the command line.
> If the Linux System is FC System, so how about the format of it ?
> Many thanks !
> Edward.
> -------- Original Message --------
> Subject: 	[sudo-users] How to disable ( deny ) user to change the
> password of root
> Date: 	Mon, 17 Nov 2008 16:49:05 +0800
> From: 	edwardspl at ita.org.mo
> To: 	sudo-users at sudo.ws
> CC: 	fedora-list at redhat.com <fedora-list at redhat.com>
> Dear All,
> For the sudo setting ( visudo ) :
> User_Alias      SYSADM = manager
> Cmnd_Alias    NOROOT = !/usr/bin/passwd root
> Cmnd_Alias    USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown, 
> /usr/sbin/userdel
> BUT the test result as the following :
> [manager at xxx ~]$ sudo passwd root
> Changing password for user root.
> New UNIX password:
> So, what wrong of the config ?
> Many thnak for your hints...
> Edward.

Russell M. Van Tassell
russell at loosenut.com

More information about the sudo-users mailing list