[sudo-users] How to disable ( deny ) user to change the password of root

Stephen Carville scarville at landam.com
Tue Nov 18 20:18:10 EST 2008


On Tuesday 18 November 2008 16:41, edwardspl at ita.org.mo wrote:

>
> USER 		/usr/bin/passwd [A-z0-1]
>
> NOROOT	!/usr/bin/passwd root
>

Oops.  I forget the '*'.  That should be:

USER 		/usr/bin/passwd [A-z0-1]*

In truth, Gordon Messmer's suggestion is probably more secure.  The only 
change I'd make would be to embed the sudo command in the script.  Something 
like.

#!/bin/bash

# echo is a bash builtin so
export PATH=""

[ -n "$1" ] || {
  echo "Use: $0 <username>" >&2
  exit 64
}

if [ "$1" = "root" ] || {
  echo "Can't set the root user's password" >&2
  exit 77 
}

/usr/bin/sudo /usr/bin/passwd -- $1

The give sudo permissions something like:

SYSADM  MH = (ALL) /usr/bin/passwd -- [A-z0-1]*

Of course the script permissions have be set to something like 0444

>
> SYSADM  MH=(ALL)   USER,NOROOT
>
> Hello,
>
> Just test the rules, BUT the result is fail:
>
> [manager at xxx ~]$ sudo passwd
> [sudo] password for manager:
> Sorry, user manager is not allowed to execute '/usr/bin/passwd' as root on
> edsvr.
> [manager at xxx ~]$ sudo passwd root
> [sudo] password for manager:
> Sorry, user manager is not allowed to execute '/usr/bin/passwd root' as
> root on edsvr.
> [manager at xxx ~]$ sudo passwd edward
> [sudo] password for manager:
> Sorry, user manager is not allowed to execute '/usr/bin/passwd edward' as
> root on edsvr.
>
> So, how can we disable any user for changing the root password ?
>
> Thanks !
>
> Edward.

-- 
Stephen Carville <scarville at landam.com>
Systems Engineer
Land America
1.626.667.1450 X1326
============================================================
Any security software design that doesn't assume the enemy
possesses the source code is already untrustworthy.
                                           -- Eric Raymond



More information about the sudo-users mailing list