Re: [sudo-users] How to disable ( deny ) user to change the password of root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



edwardspl@xxxxxxxxxx wrote:
BUT there is another problem of it ( I think it is a bug of sudo ).....

When you enter "sudo passwd" without the option (eg:userid):

[manager@xxx ~]$ sudo passwd
Changing password for user root.
New UNIX password:

That's not a bug. "sudo" doesn't know what you're trying to do, only whether or not your commands match the patterns in its configuration files. They do, so sudo allows the access.

OH...the user manager who can change root password ?

So, is there any solution for this case of problem ?

Yes, there is. Don't let users execute any of those commands directly. Write shell scripts that validate the commands that you want them to execute, and only allow users to execute those with sudo. For example:

passwd-wrapper:
#!/bin/sh

# Validate that a username was given as an argument
[ -n "$1" ] || {
	echo "Use: passwd-wrapper <username>" >&2
	exit 64
}

# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
	echo "Can't set the root user's password" >&2
	exit 77
}

# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux