[sudo-users] How to disable ( deny ) user to change the password of root

edwardspl at ita.org.mo edwardspl at ita.org.mo
Tue Nov 18 23:52:30 EST 2008


Dear All,

For /usr/bin/upasswd :

#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
echo "Use: upasswd <username>" >&2
exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"

For visudo :
SYSADM MH = (ALL) /usr/bin/upasswd

Notice * without the option after "/usr/bin/upasswd"...

So, the test result is okay now :

[manager at xxx bin]$ sudo upasswd
Use: upasswd <username>
[manager at xxx bin]$ sudo upasswd root
Can't set the root user's password
[manager at xxx bin]$ sudo upasswd edward
Changing password for user edward.
New UNIX password:

Many thanks for your help !

* This procedure is good for working on FC9...

Edward.

Russell Van Tassell wrote:

>On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
>  
>
>>>[Preventing root passwd change using sudo]
>>>      
>>>
>>In truth, Gordon Messmer's suggestion is probably more secure.  The only 
>>change I'd make would be to embed the sudo command in the script.  Something 
>>like.
>>
>>[...]
>>
>>The give sudo permissions something like:
>>
>>SYSADM  MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
>>    
>>
>
>Just "devil's advocate," caveat emptor, buyer beware and all that jazz...
>
>This still doesn't prevent people from doing things such as:
>
>/usr/bin/sudo /usr/bin/sh /usr/bin/passwd
>
>...or other similar "nasty" things (the list is quite huge).  This also
>presumes, of course, that the "typical" sudoers file allows more than it
>prevents/excludes.
>
>
>  
>



More information about the sudo-users mailing list