<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=Big5" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Dear All,<br>
<br>
For /usr/bin/upasswd :<br>
<br>
#!/bin/sh<br>
<br>
# Validate that a username was given as an argument<br>
[ -n "$1" ] || {<br>
echo "Use: upasswd <username>" >&2<br>
exit 64<br>
}<br>
<br>
# Validate that the username wasn't "root"<br>
[ "$1" != "root" ] || {<br>
echo "Can't set the root user's password" >&2<br>
exit 77<br>
}<br>
<br>
# Use -- to make sure that the "username" given wasn't just<br>
# a switch that passwd would interpret.<br>
# THIS ONLY WORKS ON GNU SYSTEMS.<br>
passwd -- "$1"<br>
<br>
For visudo :<br>
SYSADM MH = (ALL) /usr/bin/upasswd<br>
<br>
Notice * without the option after "/usr/bin/upasswd"...<br>
<br>
So, the test result is okay now :<br>
<br>
[manager@xxx bin]$ sudo upasswd<br>
Use: upasswd <username><br>
[manager@xxx bin]$ sudo upasswd root<br>
Can't set the root user's password<br>
[manager@xxx bin]$ sudo upasswd edward<br>
Changing password for user edward.<br>
New UNIX password:<br>
<br>
Many thanks for your help !<br>
<br>
* This procedure is good for working on FC9...<br>
<br>
Edward.<br>
<br>
Russell Van Tassell wrote:
<blockquote cite="mid20081119021411.GG1169@fubar.loosenut.com"
type="cite">
<pre wrap="">On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">[Preventing root passwd change using sudo]
</pre>
</blockquote>
<pre wrap="">In truth, Gordon Messmer's suggestion is probably more secure. The only
change I'd make would be to embed the sudo command in the script. Something
like.
[...]
The give sudo permissions something like:
SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]*
</pre>
</blockquote>
<pre wrap=""><!---->
Just "devil's advocate," caveat emptor, buyer beware and all that jazz...
This still doesn't prevent people from doing things such as:
/usr/bin/sudo /usr/bin/sh /usr/bin/passwd
...or other similar "nasty" things (the list is quite huge). This also
presumes, of course, that the "typical" sudoers file allows more than it
prevents/excludes.
</pre>
</blockquote>
</body>
</html>