[sudo-users] How to disable ( deny ) user to change the password of root

[edwardspl at ita.org.mo]

Gordon Messmer wrote:

> edwardspl at ita.org.mo wrote:
>
>> BUT there is another problem of it ( I think it is a bug of sudo ).....
>>
>> When you enter "sudo passwd" without the option (eg:userid):
>>
>> [manager at xxx ~]$ sudo passwd
>> Changing password for user root.
>> New UNIX password:
>
>
> That's not a bug. "sudo" doesn't know what you're trying to do, only
> whether or not your commands match the patterns in its configuration
> files. They do, so sudo allows the access.
>
>> OH...the user manager who can change root password ?
>>
>> So, is there any solution for this case of problem ?
>
>
> Yes, there is. Don't let users execute any of those commands directly.
> Write shell scripts that validate the commands that you want them to
> execute, and only allow users to execute those with sudo. For example:
>
> passwd-wrapper:
> #!/bin/sh
>
> # Validate that a username was given as an argument
> [ -n "$1" ] || {
> echo "Use: passwd-wrapper <username>" >&2
> exit 64
> }
>
> # Validate that the username wasn't "root"
> [ "$1" != "root" ] || {
> echo "Can't set the root user's password" >&2
> exit 77
> }
>
> # Use -- to make sure that the "username" given wasn't just
> # a switch that passwd would interpret.
> # THIS ONLY WORKS ON GNU SYSTEMS.
> passwd -- "$1"
>
Hello,

Sorry...
After create the shell script, then how to use it by sudo ?

Thanks !

Edward.