[sudo-users] How to disable ( deny ) user to change the password of root
Michael Schwendt
mschwendt at gmail.com
Wed Nov 19 09:27:01 UTC 2008
On Wed, 19 Nov 2008 17:17:40 +0800, edwardspl at ita.org.mo wrote:
> Michael Schwendt wrote:
>
> >On Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote:
> >
> >
> >
> >>passwd-wrapper:
> >>#!/bin/sh
> >>
> >># Validate that a username was given as an argument
> >>[ -n "$1" ] || {
> >> echo "Use: passwd-wrapper <username>" >&2
> >> exit 64
> >>}
> >>
> >># Validate that the username wasn't "root"
> >>[ "$1" != "root" ] || {
> >> echo "Can't set the root user's password" >&2
> >> exit 77
> >>}
> >>
> >># Use -- to make sure that the "username" given wasn't just
> >># a switch that passwd would interpret.
> >># THIS ONLY WORKS ON GNU SYSTEMS.
> >>passwd -- "$1"
> >>
> >>
> >
> >Don't let users run this via sudo unless you execute tools with
> >absolute path --> /usr/bin/passwd
> >
> >
> >
> Hello,
>
> Do you means there is some problem / security with this shell scripts ?
It depends on your sudo/sudoers configuration. You can read more about it
in the manuals. Look out for setenv, env_, SECURE_PATH (and related
settings).
> BUT, only some of special user who can running some of cmd via sudo...
> eg: System Admin ( manager ) and Support Term...
It's general advise not to open an attack vector via $PATH when trying to
impose restrictions on what those special users may run. Today your sudo
configuration may not permit that, but you wouldn't be the first one to
switch from sudo to setuid or to alter your sudo config in harmful ways.
More information about the fedora-list
mailing list