edwardspl@xxxxxxxxxx wrote:
BUT there is another problem of it ( I think it is a bug of sudo ).....
When you enter "sudo passwd" without the option (eg:userid):
[manager@xxx ~]$ sudo passwd
Changing password for user root.
New UNIX password:
That's not a bug. "sudo" doesn't know what you're trying to do, only
whether or not your commands match the patterns in its configuration
files. They do, so sudo allows the access.
OH...the user manager who can change root password ?
So, is there any solution for this case of problem ?
Yes, there is. Don't let users execute any of those commands directly.
Write shell scripts that validate the commands that you want them to
execute, and only allow users to execute those with sudo. For example:
passwd-wrapper:
#!/bin/sh
# Validate that a username was given as an argument
[ -n "$1" ] || {
echo "Use: passwd-wrapper <username>" >&2
exit 64
}
# Validate that the username wasn't "root"
[ "$1" != "root" ] || {
echo "Can't set the root user's password" >&2
exit 77
}
# Use -- to make sure that the "username" given wasn't just
# a switch that passwd would interpret.
# THIS ONLY WORKS ON GNU SYSTEMS.
passwd -- "$1"
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
