[sudo-users] How to restrict sudo users from changing root password
Marylou.Kohlmeier at canyons.edu
Fri Jun 5 11:53:00 EDT 2009
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyone's password except for root on
the HPPA machines. Note that this assumes passwd(1) does not take
multiple usernames on the command line. (from page 10 of the above link)
Thank you for your email. Using the link above, I was able to add the
line "pete..." to our sudoers file and restrict this user from changing
From: Matthew Stier [mailto:Matthew.Stier at us.fujitsu.com]
Sent: Friday, June 05, 2009 8:45 AM
As long as the user can gain root access to the 'passwd' command or
passwd file, no.
With 'sudo' you either have to be very restrictive, or very trusting.
More information about the sudo-users