Re: [sudo-users] How to disable ( deny ) user to change the password of root

Dear All,

For /usr/bin/upasswd :

#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
echo "Use: upasswd <username>" >&2
exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"

For visudo :
SYSADM MH = (ALL) /usr/bin/upasswd

Notice * without the option after "/usr/bin/upasswd"...

So, the test result is okay now :

[manager@xxx bin]$ sudo upasswd
Use: upasswd <username>
[manager@xxx bin]$ sudo upasswd root
Can't set the root user's password
[manager@xxx bin]$ sudo upasswd edward
Changing password for user edward.
New UNIX password:

Many thanks for your help !

* This procedure is good for working on FC9...

Edward.

Russell Van Tassell wrote:

On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:


[Preventing root passwd change using sudo]


In truth, Gordon Messmer's suggestion is probably more secure. The only
change I'd make would be to embed the sudo command in the script. Something
like.

[...]

The give sudo permissions something like:

SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*



Just "devil's advocate," caveat emptor, buyer beware and all that jazz...

This still doesn't prevent people from doing things such as:

/usr/bin/sudo /usr/bin/sh /usr/bin/passwd

...or other similar "nasty" things (the list is quite huge). This also
presumes, of course, that the "typical" sudoers file allows more than it
prevents/excludes.




--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages