topic Re: passwd change.. in Operating System - HP-UX

passwd change..

vas_3 — Mon, 01 Jun 2009 06:46:09 GMT

HI all,

I have one basic question regarding passwd change of users.
How user can use 'passwd' command?.I mean how user are able to change their passwd?.They can't edit the /etc/passwd and /etc/shadow files..

Regards,
Sri.

Re: passwd change..

Dennis Handly — Mon, 01 Jun 2009 06:48:48 GMT

passwd has setuid root and root can change those files.

Re: passwd change..

Sajjad Sahir — Mon, 01 Jun 2009 06:50:51 GMT

Dear vas

no user can't edit that files only superuser
i mean root can do it

thanks and regard

Sajjad Sahir

Re: passwd change..

vas_3 — Mon, 01 Jun 2009 06:55:11 GMT

Hi Sahir,

Users r using 'passwd' cmd for changing the passwd.That means they r indirectly editing the shadow files right.

Regards,
Sri.

Re: passwd change..

avizen9 — Mon, 01 Jun 2009 06:55:37 GMT

Hello,
basically
only root user able to change, however you can assign sudo access to modify /etc/passwd and /etc/shadow files to any non-root user. thanks,

Re: passwd change..

Dennis Handly — Mon, 01 Jun 2009 07:10:27 GMT

>Users are using passwd(1) for changing passwd(4). That means they are indirectly editing the shadow files right?

Yes, but really root is editing those files.

Re: passwd change..

Sajjad Sahir — Mon, 01 Jun 2009 07:46:23 GMT

Dear Vas

Ordinary users can only change passwords corresponding to their login name. If an old password has been established, it is requested from the user. If valid, a new password is obtained. Once the new password is entered, it is determined if the old password has "aged" sufficiently. If password aging is not sufficient, the new password is rejected and passwd terminates.

If password aging and construction requirements are met, the password is re-entered to ensure consistency. If the new copy differs, passwd repeats the new password prompting cycle, at most twice.

A superuser, whose effective user ID is zero, is allowed to change any password and is not forced to comply with password aging. Superusers are not prompted for old passwords, unless they are attempting to change a superuser's password in a trusted system. On untrusted systems, superusers are not forced to comply with password construction requirements. Null passwords can be created by entering a carriage return in response to the prompt for a new password.

For the files (local system) repository, if no /etc/shadow file exists, then the encrypted password is stored in the password field of /etc/passwd. If the /etc/shadow file exists, then the encrypted password is stored there, and an 'x' is added to the password field of /etc/passwd.

Please remember don't allow any non root users to play with /etc/shadow and /etc/passwd files.

thanks and regards

Sajjad Sahir

Re: passwd change..

vas_3 — Mon, 01 Jun 2009 08:10:02 GMT

Sorry..i think i confused you..

I attended one interview in that they asked me this question.

We know that users canot edit /etc/passwd and /etc/shadow files.But by using 'passwd' cmd they can change their password.
is there any background process or deamon for doing this?.
I know that root user can change any user passwd.
Regards,
Sri

Re: passwd change..

Dennis Handly — Mon, 01 Jun 2009 08:26:41 GMT

>But by using passwd cmd they can change their password. is there any background process or deamon for doing this?

As I said above, when you run any setuid root program, you become root and it can edit those files.
The only "demon" might be the NIS process on the NIS server. For "-r nis".

Re: passwd change..

Bill Hassell — Mon, 01 Jun 2009 16:17:31 GMT

> We know that users canot edit /etc/passwd and /etc/shadow files.But by using 'passwd' cmd they can change their password.

More accurately stated: We know users cannot run vi or similar program to edit the /etc/passwd file. But as mentioned, the passwd program is a special program that has elevated permission to perform a very specific task: to modify the passwd file on behalf of the user. This is done through permissions given this program that allow it to be run by anyone but be given permission as if it was run by root -- set user-ID or SUID is the common terminology.

> is there any background process or deamon for doing this?.

No. The program does all the work. There are many programs that are configured this way. For instance, chsh allows you to change your shell in the passwd file -- the ll command will show programs that have set userID with the letter "s" in the permissions:

-r-sr-xr-x 5 root bin 53248 Apr 27 2007 chsh

This is standard Unix behavior to allow special privileges with certain commands. Some of the details are shown in the man page for ls.

Re: passwd change..

vas_3 — Tue, 02 Jun 2009 03:40:41 GMT

Thanks for your help.

Regards,
Srinu.