[sudo-users] How to disable ( deny ) user to change the password of root

Gordon Messmer yinyang at eburg.com
Tue Nov 18 11:36:56 EST 2008

edwardspl at ita.org.mo wrote:
> BUT there is another problem of it ( I think it is a bug of sudo ).....
> When you enter "sudo passwd" without the option (eg:userid):
> [manager at xxx ~]$ sudo passwd
> Changing password for user root.
> New UNIX password:

That's not a bug.  "sudo" doesn't know what you're trying to do, only 
whether or not your commands match the patterns in its configuration 
files.  They do, so sudo allows the access.

> OH...the user manager who can change root password ?
> So, is there any solution for this case of problem ?

Yes, there is.  Don't let users execute any of those commands directly. 
  Write shell scripts that validate the commands that you want them to 
execute, and only allow users to execute those with sudo.  For example:


# Validate that a username was given as an argument
[ -n "$1" ] || {
	echo "Use: passwd-wrapper <username>" >&2
	exit 64

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
	echo "Can't set the root user's password" >&2
	exit 77

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
passwd -- "$1"

More information about the sudo-users mailing list