[sudo-users] How to disable ( deny ) user to change the password of root

edwardspl at ita.org.mo edwardspl at ita.org.mo
Wed Nov 19 11:22:56 UTC 2008 

Michael Schwendt wrote:

>On Wed, 19 Nov 2008 17:17:40 +0800, edwardspl at ita.org.mo wrote:
>
>>Michael Schwendt wrote:
>>
>>>n Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote:
>>>
>>>>asswd-wrapper:
>>>>#!/bin/sh
>>>>
>>>># Validate that a username was given as an argument
>>>>[ -n "$1" ] || {
>>>>	echo "Use: passwd-wrapper <username>" >&2
>>>>	exit 64
>>>>}
>>>>
>>>># Validate that the username wasn't "root"
>>>>[ "$1" != "root" ] || {
>>>>	echo "Can't set the root user's password" >&2
>>>>	exit 77
>>>>}
>>>>
>>>># Use -- to make sure that the "username" given wasn't just
>>>># a switch that passwd would interpret.
>>>># THIS ONLY WORKS ON GNU SYSTEMS.
>>>>passwd -- "$1"
>>>>
>>>Don't let users run this via sudo unless you execute tools with
>>>absolute path --> /usr/bin/passwd
>>>      
>>>
>>Hello,
>>
>>Do you means there is some problem / security with this shell scripts ?
>>    
>>
>It depends on your sudo/sudoers configuration. You can read more about it
>in the manuals. Look out for setenv, env_, SECURE_PATH (and related
>settings).
>  
>
Just the following rules :
SYSADM  MH = (ALL)    /usr/bin/passwd-wrapper

>> <>BUT, only some of special user who can running some of cmd via sudo...
>> eg: System Admin ( manager ) and Support Term...
>

>> <>It's general advise not to open an attack vector via $PATH when 
>> trying to
>> impose restrictions on what those special users may run. Today your sudo
>> configuration may not permit that, but you wouldn't be the first one to
>> switch from sudo to setuid or to alter your sudo config in harmful ways.
>
I think the system admin config the sudo only for some special user ( 
eg: system support term ) for the Server Maintance...
So, NOT many user he/she can running with sudo, right ?

Thanks !

Edward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20081119/afc84af0/attachment-0001.htm>

More information about the fedora-list mailing list