https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083876#M811301 I have a strange problem after restricting passwd to root only.<BR /><BR />I locked the passwd command so only root can use it and I granted sudo to a few application users who have a nologin login shell... so that they can change the applicaiton password with out me doing it. by loging in as themselves then su over to the oracle user with password.<BR /><BR />However, when they use sudo, IF they only type "sudo passwd", It allows them to change the ROOT PASSWD... and instead of the oracle<BR /><BR />They must use "sudo passwd oracle", in order to change the oracle passwd and not the root passwd.<BR /><BR />Here is my question.... Is there a way to give them the passwd command and or prevent sudo from allowing them to change the root passwd?<BR /><BR /><BR /> Thu, 02 Oct 2003 09:43:55 GMT Todd McDaniel_1 2003-10-02T09:43:55Z https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083876#M811301 I have a strange problem after restricting passwd to root only.<BR /><BR />I locked the passwd command so only root can use it and I granted sudo to a few application users who have a nologin login shell... so that they can change the applicaiton password with out me doing it. by loging in as themselves then su over to the oracle user with password.<BR /><BR />However, when they use sudo, IF they only type "sudo passwd", It allows them to change the ROOT PASSWD... and instead of the oracle<BR /><BR />They must use "sudo passwd oracle", in order to change the oracle passwd and not the root passwd.<BR /><BR />Here is my question.... Is there a way to give them the passwd command and or prevent sudo from allowing them to change the root passwd?<BR /><BR /><BR /> Thu, 02 Oct 2003 09:43:55 GMT https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083876#M811301 Todd McDaniel_1 2003-10-02T09:43:55Z https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083877#M811302 Yes. Simply add 'oracle' onto the passwd command.<BR /> <BR />So for the user group the command would be<BR /> <BR />passwd oracle<BR /> <BR />This will then restrict them to running passwd only with oracle as an argument.<BR /> <BR />Check out the sudoers man page for more info on restricting by command args.<BR /> <BR />HTH. Thu, 02 Oct 2003 09:47:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083877#M811302 Brian Bergstrand 2003-10-02T09:47:12Z https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083878#M811303 Are you saying that in the /etc/sudoers file that I make it say?<BR /> <BR /> <BR /><BR /><BR />oracle ALL=(ALL) NOPASSWD:/usr/bin/passwd oracle<BR /> <BR /> <BR /><BR /><BR /><BR /><BR />So that they must enter this complete line in order for sudo to work for them? Thu, 02 Oct 2003 09:51:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083878#M811303 Todd McDaniel_1 2003-10-02T09:51:38Z https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083879#M811304 I have few doubts.<BR />If those few users have a nologin login shell, how they are entering into the system. If there is no valid shell how can they run the su command itself.<BR /><BR />sudo allows users to run certain commands as root. So obviously passwd is being run as root and the root passwd is changed. So, you have to change the sudoers file as you have mentioned only.<BR /><BR />HTH,<BR />Umapathy Thu, 02 Oct 2003 09:59:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083879#M811304 Umapathy S 2003-10-02T09:59:45Z https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083880#M811305 Yes. 'man sudoers' describes the exact details as I'm just going from memory. But I think that is all you need. If they enter just 'passwd' or 'passwd root' or 'passwd joe' sudo will deny them access.<BR /><BR />HTH. Thu, 02 Oct 2003 10:00:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083880#M811305 Brian Bergstrand 2003-10-02T10:00:29Z https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083881#M811306 I may have misspoke...<BR /><BR />The users login as themselves with SecurID login then with password over to Oracle...nologin is so that oracle can't be logged in directly.<BR /><BR />Thanks for the help. Thu, 02 Oct 2003 10:02:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/using-sudo-with-passwd/m-p/3083881#M811306 Todd McDaniel_1 2003-10-02T10:02:07Z