topic Re: Restricting root in Operating System - HP-UX

Restricting root

Global Server Operation — Fri, 16 Nov 2001 02:02:30 GMT

Is there a way to give a user access to just reset another user's password and nothing else? If there is such a way, would this user be able to change root's password?

Re: Restricting root

Sanjay_6 — Fri, 16 Nov 2001 02:12:49 GMT

Hi,

I guess if you give a user rstricted access to change the password he should be able to change the password for root also.

Hope this helps.

Regds

Re: Restricting root

Santosh Nair_1 — Fri, 16 Nov 2001 02:28:49 GMT

You should be able to set up SAM so that the user has restricted access (see the -r option for SAM), i.e. is able to set passwords.

-Santosh

Re: Restricting root

Deepak Extross — Fri, 16 Nov 2001 02:37:34 GMT

I'm not too sure if this is a safe thing to do, but if I had to, I'd write a small wrapper to log the details of the user who invoked it, the time, and the id whose password is attempted to be changed.

Please be aware that providing a facility like this could potentially lead to chaos.
Never underestimate the creativity of your users.

Re: Restricting root

Scott Van Kalken — Fri, 16 Nov 2001 02:48:34 GMT

If you use sam builder

/usr/sbin/sam -r

you can set up a restricted version of sam for a user or a group.

Using a restricted version of sam does not allow you to change the root password, but does allow you to change other passwords (oracle for example).

What I have seen done is a script that uses the passwd command and sudo. This is messy, but it does work. If you use the script option you can have a list of users who are untouchable:

DATE=$(date '+%a %b %d %Y')
FULLDTE=`date`
HOSTNAME=`hostname`
PATH=/bin:/usr/sbin:/opt/sudo/bin:/usr/bin
BOLD=$(tput smso)
NORM=$(tput rmso)
UNTOUCHABLE=/opt/helpdesk/donottouchlist
LOG=/var/adm/helpdesk.log
USERFILE=/etc/passwd

change_pass()
{
read user?"Please enter a username: "
if grep -q $user $UNTOUCHABLE ; then
echo "This user: ${BOLD}$user${NORM} cannot have their password changed."
echo "$FULLDTE \t $LOGNAME \t Illegal ACTION!!!! password change for $user" >> $LOG
echo ; echo
read waiting?"PRESS RETURN TO CONTINUE"
else
sudo -u root /bin/passwd $user
sudo -u root /bin/passwd -f $user
echo "$FULLDTE \t $LOGNAME \t changed password for $user" >> $LOG
fi
}

This does work quite well, but it's a bit messy and requires sudo to be installed.

Scott.

Re: Restricting root

Marco Paganini — Fri, 16 Nov 2001 02:48:36 GMT

Hello,

That is a very dangerous operation. You can try to achieve what you want by using 'sudo'. Sudo is an intelligent suid wrapper. You could wrap 'passwd' and forbid 'passwd root'. However, it's like someone else said: Never underestimate the creativity of your users...

Regards,
Paga

Re: Restricting root

Global Server Operation — Fri, 16 Nov 2001 02:59:07 GMT

i know you can use restricting sam, but the user will be able to add, delete, and modify users. The customer is requesting just to reset passwd. Looks like sudo is a good option, but I worry about the vulnerability of root's shell. If user is creative.....

Re: Restricting root

Marco Paganini — Fri, 16 Nov 2001 03:13:10 GMT

Hello again,

I checked here my /etc/sudoers manpage. You can definitely do what you want. You may allow certain users to user certain commands based on regular expressions. This way, you may allow your users to do 'passwd user' as long as 'user' is not root. You can also block in such a way that no other 'passwd' options will be allowed. Coul d be the solution to your problem.

Regards,
Paga

Re: Restricting root

Darrell Allen — Fri, 16 Nov 2001 03:13:34 GMT

Hello,

I also believe restricted SAM isn't restrictive enough for this instance. I'd go with sudo though you might try a well written, tightly locked down suid script or program. Just be careful because passwd with root priviledges is a powerful tool.

Darrell