topic Re: can sudo users change the root password? in Operating System - HP-UX

can sudo users change the root password?

praveen.. — Fri, 09 Jun 2006 05:57:36 GMT

Hi,
I have added these lines in sudoers files:

User_Alias FULLSUDO = sestj , serab, sebos, seglb, searj, semab, sejos, prkeg

FULLSUDO ALL=(root) NOPASSWD: ALL

please let me know are these users (sestj , serab, sebos, seglb, searj, semab, sejos, prkeg) able to run all the commands including #passwd command (to change the root password)

can they change the root password?

thanks

Re: can sudo users change the root password?

Steven E. Protter — Fri, 09 Jun 2006 06:09:19 GMT

Shalom,

They should not be able to change the root password.

Don't take my word for it.

Log in as root

su - seastj

passwd root

If it lets you do it, modify the configuration.

SEP

Re: can sudo users change the root password?

Matti_Kurkela — Fri, 09 Jun 2006 07:00:22 GMT

Yes they can. You have granted them the permission to assume full root privileges through sudo, so they can do absolutely anything.

There is no technical way on a normal HP-UX to prevent anyone with full root privileges from changing the root password.

Try it out:

# su - sestj
sestj$ sudo -u root /bin/passwd root
or
sestj$ sudo -u root /sbin/passwd root
(changing the root password without prompting for the previous one)

sestj$ sudo -u root vipw
(editing the password file directly)

sestj$ sudo -u root vi /tcb/files/auth/r/root
(editing the Trusted System password file for root, perhaps substituting the password hash with their own, effectively changing the password)

sestj$ sudo -u root -s
(getting a root shell)

Re: can sudo users change the root password?

Darrel Louis — Fri, 09 Jun 2006 07:12:42 GMT

Praveen,

When performing the following you'll need to know the old password:
sudo -u root /bin/passwd root
Changing password for root
Old password:

But when they have sudoall rights, they can change the root passwd via "vi".

Darrel

Re: can sudo users change the root password?

Bill Hassell — Fri, 09 Jun 2006 07:17:12 GMT

Actually, you configured FULLSUDO users to destroy anything on your system including changing the root password. The entry:

FULLSUDO ALL=(root) NOPASSWD: ALL

The word ALL means that every command in the computer can be run by these users (not a good idea at all!). You should explicitly list the allowed commands on that line, and any command that is not listed will not be allowed. In fact, any FULLSUDO user that tries to run a disallowed command will have their failed attempt logged.

Re: can sudo users change the root password?

Marvin Strong — Fri, 09 Jun 2006 12:49:44 GMT

Yes you basicly just gave them the keys to the castle. They can do whatever they want.

I would follow Bill's suggestion and specify every command you want them to have access too.

In the case of them needing the majority of the commands you could also take away commands you don't want them to have access too. How to do this is fully documented in the sudo documentation.

Also be careful when allowing commands, allowing any shell or editor, provides a means to get more access than they may normally be allowed. There are alot of commands that you have to be careful of shells and editors are just a quick example.

Re: can sudo users change the root password?

Rick Garland — Fri, 09 Jun 2006 13:06:09 GMT

If these users can become root on the system via sudo, they can change the root passwd.

In fact, they will have total access just being a root user.