[sudo-users] How to disable ( deny ) user to change the password of root
edwardspl at ita.org.mo
edwardspl at ita.org.mo
Tue Nov 18 23:52:30 EST 2008
Dear All,
For /usr/bin/upasswd :
#!/bin/sh
# Validate that a username was given as an argument
[ -n "$1" ] || {
echo "Use: upasswd <username>" >&2
exit 64
}
# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}
# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"
For visudo :
SYSADM MH = (ALL) /usr/bin/upasswd
Notice * without the option after "/usr/bin/upasswd"...
So, the test result is okay now :
[manager at xxx bin]$ sudo upasswd
Use: upasswd <username>
[manager at xxx bin]$ sudo upasswd root
Can't set the root user's password
[manager at xxx bin]$ sudo upasswd edward
Changing password for user edward.
New UNIX password:
Many thanks for your help !
* This procedure is good for working on FC9...
Edward.
Russell Van Tassell wrote:
>On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
>
>
>>>[Preventing root passwd change using sudo]
>>>
>>>
>>In truth, Gordon Messmer's suggestion is probably more secure. The only
>>change I'd make would be to embed the sudo command in the script. Something
>>like.
>>
>>[...]
>>
>>The give sudo permissions something like:
>>
>>SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
>>
>>
>
>Just "devil's advocate," caveat emptor, buyer beware and all that jazz...
>
>This still doesn't prevent people from doing things such as:
>
>/usr/bin/sudo /usr/bin/sh /usr/bin/passwd
>
>...or other similar "nasty" things (the list is quite huge). This also
>presumes, of course, that the "typical" sudoers file allows more than it
>prevents/excludes.
>
>
>
>
More information about the sudo-users
mailing list