[sudo-users] How to disable ( deny ) user to change the password of root

Russell Van Tassell russell+sudo-users at loosenut.com
Tue Nov 18 21:14:11 EST 2008

On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
> > [Preventing root passwd change using sudo]
> In truth, Gordon Messmer's suggestion is probably more secure.  The only 
> change I'd make would be to embed the sudo command in the script.  Something 
> like.
> [...]
> The give sudo permissions something like:
> SYSADM  MH = (ALL) /usr/bin/passwd -- [A-z0-1]*

Just "devil's advocate," caveat emptor, buyer beware and all that jazz...

This still doesn't prevent people from doing things such as:

/usr/bin/sudo /usr/bin/sh /usr/bin/passwd

...or other similar "nasty" things (the list is quite huge).  This also
presumes, of course, that the "typical" sudoers file allows more than it

Russell M. Van Tassell
russell at loosenut.com

"I have always felt that a politician is to be judged by the animosities
 he excites among his opponents."                - Sir Winston Churchill

More information about the sudo-users mailing list