[sudo-users] How to disable ( deny ) user to change the password of root
Stephen Carville
scarville at landam.com
Tue Nov 18 20:18:10 EST 2008
On Tuesday 18 November 2008 16:41, edwardspl at ita.org.mo wrote:
>
> USER /usr/bin/passwd [A-z0-1]
>
> NOROOT !/usr/bin/passwd root
>
Oops. I forget the '*'. That should be:
USER /usr/bin/passwd [A-z0-1]*
In truth, Gordon Messmer's suggestion is probably more secure. The only
change I'd make would be to embed the sudo command in the script. Something
like.
#!/bin/bash
# echo is a bash builtin so
export PATH=""
[ -n "$1" ] || {
echo "Use: $0 <username>" >&2
exit 64
}
if [ "$1" = "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}
/usr/bin/sudo /usr/bin/passwd -- $1
The give sudo permissions something like:
SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
Of course the script permissions have be set to something like 0444
>
> SYSADM MH=(ALL) USER,NOROOT
>
> Hello,
>
> Just test the rules, BUT the result is fail:
>
> [manager at xxx ~]$ sudo passwd
> [sudo] password for manager:
> Sorry, user manager is not allowed to execute '/usr/bin/passwd' as root on
> edsvr.
> [manager at xxx ~]$ sudo passwd root
> [sudo] password for manager:
> Sorry, user manager is not allowed to execute '/usr/bin/passwd root' as
> root on edsvr.
> [manager at xxx ~]$ sudo passwd edward
> [sudo] password for manager:
> Sorry, user manager is not allowed to execute '/usr/bin/passwd edward' as
> root on edsvr.
>
> So, how can we disable any user for changing the root password ?
>
> Thanks !
>
> Edward.
--
Stephen Carville <scarville at landam.com>
Systems Engineer
Land America
1.626.667.1450 X1326
============================================================
Any security software design that doesn't assume the enemy
possesses the source code is already untrustworthy.
-- Eric Raymond
More information about the sudo-users
mailing list