[sudo-users] How to disable ( deny ) user to change the password of root
Russell Van Tassell
russell+sudo-users at loosenut.com
Tue Nov 18 21:14:11 EST 2008
On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
> > [Preventing root passwd change using sudo]
>
> In truth, Gordon Messmer's suggestion is probably more secure. The only
> change I'd make would be to embed the sudo command in the script. Something
> like.
>
> [...]
>
> The give sudo permissions something like:
>
> SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
Just "devil's advocate," caveat emptor, buyer beware and all that jazz...
This still doesn't prevent people from doing things such as:
/usr/bin/sudo /usr/bin/sh /usr/bin/passwd
...or other similar "nasty" things (the list is quite huge). This also
presumes, of course, that the "typical" sudoers file allows more than it
prevents/excludes.
--
Russell M. Van Tassell
russell at loosenut.com
"I have always felt that a politician is to be judged by the animosities
he excites among his opponents." - Sir Winston Churchill
More information about the sudo-users
mailing list