[sudo-users] How to disable ( deny ) user to change the password of root
scarville at landam.com
Fri Nov 21 12:50:19 EST 2008
On Tuesday 18 November 2008 18:14, Russell Van Tassell wrote:
> On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
> > > [Preventing root passwd change using sudo]
> > In truth, Gordon Messmer's suggestion is probably more secure. The only
> > change I'd make would be to embed the sudo command in the script.
> > like.
> > [...]
> > The give sudo permissions something like:
> > SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
> Just "devil's advocate," caveat emptor, buyer beware and all that jazz...
> This still doesn't prevent people from doing things such as:
> /usr/bin/sudo /usr/bin/sh /usr/bin/passwd
> ...or other similar "nasty" things (the list is quite huge). This also
> presumes, of course, that the "typical" sudoers file allows more than it
Absolutely and, personally, I only use sudo where the access control needed is
either ALL or nothing plus a few commands. Outside that I will use the
consolehelper program found in Redhat, CentOS and Fedora.
Stephen Carville <scarville at landam.com>
Any security software design that doesn't assume the enemy
possesses the source code is already untrustworthy.
-- Eric Raymond
More information about the sudo-users