[sudo-users] How to disable ( deny ) user to change the password of root
Gordon Messmer
yinyang at eburg.com
Tue Nov 18 11:36:56 EST 2008
edwardspl at ita.org.mo wrote:
> BUT there is another problem of it ( I think it is a bug of sudo ).....
>
> When you enter "sudo passwd" without the option (eg:userid):
>
> [manager at xxx ~]$ sudo passwd
> Changing password for user root.
> New UNIX password:
That's not a bug. "sudo" doesn't know what you're trying to do, only
whether or not your commands match the patterns in its configuration
files. They do, so sudo allows the access.
> OH...the user manager who can change root password ?
>
> So, is there any solution for this case of problem ?
Yes, there is. Don't let users execute any of those commands directly.
Write shell scripts that validate the commands that you want them to
execute, and only allow users to execute those with sudo. For example:
passwd-wrapper:
#!/bin/sh
# Validate that a username was given as an argument
[ -n "$1" ] || {
echo "Use: passwd-wrapper <username>" >&2
exit 64
}
# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}
# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"
More information about the sudo-users
mailing list