Re: [sudo-users] How to disable ( deny ) user to change the password of root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear All,

For /usr/bin/upasswd :

#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
    echo "Use: upasswd <username>" >&2
    exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
    echo "Can't set the root user's password" >&2
    exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"

For visudo :
SYSADM  MH = (ALL)  /usr/bin/upasswd

Notice * without the option after "/usr/bin/upasswd"...

So, the test result is okay now :

[manager@xxx bin]$ sudo upasswd
Use: upasswd <username>
[manager@xxx bin]$ sudo upasswd root
Can't set the root user's password
[manager@xxx bin]$ sudo upasswd edward
Changing password for user edward.
New UNIX password:

Many thanks for your help !

* This procedure is good for working on FC9...

Edward.

Russell Van Tassell wrote:
On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
  
[Preventing root passwd change using sudo]
      
In truth, Gordon Messmer's suggestion is probably more secure.  The only 
change I'd make would be to embed the sudo command in the script.  Something 
like.

[...]

The give sudo permissions something like:

SYSADM  MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
    

Just "devil's advocate," caveat emptor, buyer beware and all that jazz...

This still doesn't prevent people from doing things such as:

/usr/bin/sudo /usr/bin/sh /usr/bin/passwd

...or other similar "nasty" things (the list is quite huge).  This also
presumes, of course, that the "typical" sudoers file allows more than it
prevents/excludes.


  
-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux