Re: [sudo-users] How to disable ( deny ) user to change the password of root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 19 Nov 2008 17:17:40 +0800, edwardspl@xxxxxxxxxx wrote:

> Michael Schwendt wrote:
> 
> >On Tue, 18 Nov 2008 08:36:56 -0800, Gordon Messmer wrote:
> >
> >  
> >
> >>passwd-wrapper:
> >>#!/bin/sh
> >>
> >># Validate that a username was given as an argument
> >>[ -n "$1" ] || {
> >>	echo "Use: passwd-wrapper <username>" >&2
> >>	exit 64
> >>}
> >>
> >># Validate that the username wasn't "root"
> >>[ "$1" != "root" ] || {
> >>	echo "Can't set the root user's password" >&2
> >>	exit 77
> >>}
> >>
> >># Use -- to make sure that the "username" given wasn't just
> >># a switch that passwd would interpret.
> >># THIS ONLY WORKS ON GNU SYSTEMS.
> >>passwd -- "$1"
> >>    
> >>
> >
> >Don't let users run this via sudo unless you execute tools with
> >absolute path --> /usr/bin/passwd  
> >
> >  
> >
> Hello,
> 
> Do you means there is some problem / security with this shell scripts ?

It depends on your sudo/sudoers configuration. You can read more about it
in the manuals. Look out for setenv, env_, SECURE_PATH (and related
settings).

> BUT, only some of special user who can running some of cmd via sudo...
> eg: System Admin ( manager ) and Support Term...

It's general advise not to open an attack vector via $PATH when trying to
impose restrictions on what those special users may run. Today your sudo
configuration may not permit that, but you wouldn't be the first one to
switch from sudo to setuid or to alter your sudo config in harmful ways.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux