Re: [sudo-users] How to disable ( deny ) user to change the password of root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Gordon Messmer wrote:

> edwardspl@xxxxxxxxxx wrote:
>
>> BUT there is another problem of it ( I think it is a bug of sudo ).....
>>
>> When you enter "sudo passwd" without the option (eg:userid):
>>
>> [manager@xxx ~]$ sudo passwd
>> Changing password for user root.
>> New UNIX password:
>
>
> That's not a bug. "sudo" doesn't know what you're trying to do, only
> whether or not your commands match the patterns in its configuration
> files. They do, so sudo allows the access.
>
>> OH...the user manager who can change root password ?
>>
>> So, is there any solution for this case of problem ?
>
>
> Yes, there is. Don't let users execute any of those commands directly.
> Write shell scripts that validate the commands that you want them to
> execute, and only allow users to execute those with sudo. For example:
>
> passwd-wrapper:
> #!/bin/sh
>
> # Validate that a username was given as an argument
> [ -n "$1" ] || {
> echo "Use: passwd-wrapper <username>" >&2
> exit 64
> }
>
> # Validate that the username wasn't "root"
> [ "$1" != "root" ] || {
> echo "Can't set the root user's password" >&2
> exit 77
> }
>
> # Use -- to make sure that the "username" given wasn't just
> # a switch that passwd would interpret.
> # THIS ONLY WORKS ON GNU SYSTEMS.
> passwd -- "$1"
>
Hello,

Sorry...
After create the shell script, then how to use it by sudo ?

Thanks !

Edward.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux