topic Re: Execution with ACL in Operating System - HP-UX

Execution with ACL

Henry Llerena — Fri, 09 Jul 2004 15:59:39 GMT

Hi,

Does somebody know if could configure the acl so that could a common user change the password of another using the passwd command ?

Thanks
Henry

Re: Execution with ACL

Cesare Salvioni — Fri, 09 Jul 2004 16:25:31 GMT

No way but having writing right on /etc/passwd .

Re: Execution with ACL

Sundar_7 — Fri, 09 Jul 2004 16:34:44 GMT

Henry,

Nope. ACL cannot be used by a common user to change the password of another user.

/usr/bin/passwd binary already has SUID enabled. It is the checks inside the passwd binary that lets only root to change the password of other users.

You can write a small C program with calls to setuid() and then invoke passwd command.

Sundar

Re: Execution with ACL

Sundar_7 — Fri, 09 Jul 2004 17:41:13 GMT

Try this

root> cat /usr/local/bin/pex.c
#include
#include
main(argc,argv)
int argc;
char *argv[];
{
setuid(0);
execl("/usr/bin/passwd","passwd",argv[1],0);
}
#

# cc /usr/local/bin/pex.c -o /usr/local/bin/passex
#

root> cat /usr/local/bin/passchg.sh
#!/usr/bin/sh
USER=$1
grep -n "$USER$" /etc/NOTALLOWED >/dev/null 2>&1
if [ $? -eq 0 ]
then
echo "You are not allowed to change the password for $USER"
exit 1
fi

/usr/local/bin/passex $USER
root>

root> chmod 4755 /usr/local/bin/passchg.sh

root> cat /etc/NOTALLOWED
root
root>

Remember this is a strict NO-NO in security world :-) but if you have to do it then there is one more way

execute sam with -r option and authorize the user(s) to run only the "Accounts for users and groups" section