HPE Community
Operating System - HP-UX
1753947 Members
7449 Online
108811 Solutions
New Discussion юеВ

Re: Root Password using SUDO

 
Marylou Kohlmeier
Frequent Advisor

тАО06-04-2009 01:38 PM

тАО06-04-2009 01:38 PM

Root Password using SUDO

Is there a way to prevent sudo users from changing "root" password?

thanks,
Marylou
0 Kudos
Reply
3 REPLIES 3
Steven Schweda
Honored Contributor

тАО06-04-2009 02:11 PM

тАО06-04-2009 02:11 PM

Re: Root Password using SUDO

I don't use it, but I thought that the whole
idea of "sudo" was to let normal users "run
some (or all) commands as root", the
important part of that being "some".

http://www.gratisoft.us/sudo/intro.html

So, the real question would seem to be, "Why
are you letting people use 'sudo' to run
commands (like passwd) which you don't want
them to run?"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО06-04-2009 02:43 PM

тАО06-04-2009 02:43 PM

Re: Root Password using SUDO

Shalom,

Yes.

Don't give the passwd command via sudo

The passwd command has suid set, that gives them all the power they need to change their own password.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО06-04-2009 04:33 PM

тАО06-04-2009 04:33 PM

Re: Root Password using SUDO

SUDO is very often under-configured. Only the most senior and trustworthy sysadmins are given unrestricted access. The rest of the users are given one or two commands to do their jobs -- no more until a valid justification is made. In heavily secured environments, a written justification and approval process is needed before adding additional commands. SUDO is quite powerful -- you can even restrict the parameters allowed for a specific command. Good security principles will not default (give away) privileges, but instead, start at zero and add a few at a time.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.