[sudo-users] How to restrict sudo users from changing root password

Kohlmeier, Marylou Marylou.Kohlmeier at canyons.edu
Fri Jun 5 11:53:00 EDT 2009


pete           HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyone's password except for root on
the HPPA machines. Note that this assumes passwd(1) does not take
multiple usernames on the command line. (from page 10 of the above link)

Thank you for your email.  Using the link above, I was able to add the
line "pete..." to our sudoers file and restrict this user from changing
root password.


-----Original Message-----
From: Matthew Stier [mailto:Matthew.Stier at us.fujitsu.com] 
Sent: Friday, June 05, 2009 8:45 AM

As long as the user can gain root access to the 'passwd' command or
passwd file, no.

With 'sudo' you either have to be very restrictive, or very trusting.

More information about the sudo-users mailing list