[sudo-users] How to disable ( deny ) user to change the password ofroot
Stephen Carville
scarville at landam.com
Mon Nov 17 13:59:11 EST 2008
On Monday 17 November 2008 00:49, edwardspl at ita.org.mo wrote:
> Dear All,
>
> For the sudo setting ( visudo ) :
>
> User_Alias SYSADM = manager
>
> Cmnd_Alias NOROOT = !/usr/bin/passwd root
> Cmnd_Alias USER = /usr/sbin/adduser, /usr/bin/passwd, /bin/chown,
> /usr/sbin/userdel
>
> SYSADM MH = (ALL) NOROOT,USER
>
> BUT the test result as the following :
>
> [manager at xxx ~]$ sudo passwd root
> Changing password for user root.
> New UNIX password:
>
> So, what wrong of the config ?
I think the exception has to be after the allowed rule:
SYSADM MH = (ALL) USER,NOROOT
It's been while since I checked that part of the code...
--
Stephen Carville <scarville at landam.com>
Systems Engineer
Land America
1.626.667.1450 X1326
============================================================
Any security software design that doesn't assume the enemy
possesses the source code is already untrustworthy.
-- Eric Raymond
More information about the sudo-users
mailing list