topic Re: Password Changes in Operating System - HP-UX

Password Changes

Andy Haigh_1 — Fri, 09 Dec 2005 20:15:13 GMT

I would like to setup a script/program to allow a group of users the ability to change other users passwords. What I was looking at doing was to have a detached program running as root that the users submit the requests to. I have been told that you can't submit pasword change commands from a detached process. Is this true? Is their a better way to do this?

Thanks

Andy

Re: Password Changes

Raj D. — Fri, 09 Dec 2005 20:24:48 GMT

Hi Andy ,

For changing other users password you need root privilege , and you can do this with help of sudo utility .

Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity. The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.

You can check this link:
http://www.courtesan.com/sudo/

The access rights kept in sudoers file, if you are using sudo.

You can create a group and give access to passwd command . And hope that will do the trick.

Cheers,
Raj.

Re: Password Changes

Andy Haigh_1 — Fri, 09 Dec 2005 20:33:17 GMT

Hi Raj,
There is a twist to the requirements, that I should have explained, this server is shared amongst a number of companies. Therefore we need to be a bit more granular, and only allow certain users the rights to change their users passwords.

Thanks for the heads up on sudo though.

Andy

Re: Password Changes

Sยภเl Kย๓คг — Fri, 09 Dec 2005 20:33:26 GMT

Hi,

As Raj said, implementing sudoers will be right solution for this. You need to download the suoders package and install, as it doesn't come intehrated with the standard HPUX OS.

Then customise /etc/sudoers file, create a user group, include those users in that group(This is not unix gorup-but sudoers group mentioning in the sudoers file iteself) and give lists of commands needed for that user group

Regards,
Sunil

Re: Password Changes

Sivakumar TS — Sat, 10 Dec 2005 02:43:07 GMT

Dear Andy,

I have a HAPPY NEWS for you !

HP-UX RBAC Integration
The HP-UX RBAC feature on HP-UX 11iv2 is an alternative to the traditional "all-or-nothing" root user model, which grants permissions to the root user for all operations, and denies permissions to non-root users for certain operations. HP-UX RBAC allows you to distribute administrative responsibilities by creating appropriate authorizations for HP-UX 11iv2 applications and assigning them to non-root users and groups. The acpm_sa authorization module delivered in HP-UX 11i IdMI A.01.00 allows Select Access to control HP-UX RBAC authorizations based access rights defined in the Select Access Policy Builder GUI.

Checkout this page :

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=IdMIntegration

Its really good.

With Regards,

Siva.

Re: Password Changes

Andy Haigh_1 — Sat, 10 Dec 2005 02:52:47 GMT

Siva,
Won't this allow a user to change the passwords of all users? I don't want them to be able to do this. I want to allow certain users to be able to change passwords of a subset of users. This is why I was going to use a detached program that I can control this through but I don't believe you can change passwords from within a detached process.

Thanks

Andy

Re: Password Changes

Chan 007 — Sat, 10 Dec 2005 06:44:19 GMT

Andy,

As suggested use sudoers, you can create groups and users. It can be edited and very simply.

Create a menu driven script for user who will change passwd and add his ID to the sudoers. Very simple...

007