topic Permissions on passwd command in Operating System - HP-UX

Permissions on passwd command

Stéphane Gauthier — Mon, 27 Aug 2001 17:23:37 GMT

Hi folks,
My guys need to use the passwd command whitout root account. I try to make a shell script, a C script and set the sticky bit. But I got every time Permission denied. I don't want to use sudo or restricted sam. My guys need to operate at the command line. thanks!

Re: Permissions on passwd command

Christopher McCray_1 — Mon, 27 Aug 2001 17:28:33 GMT

Are you trying to give your people the ability to change other peoples accounts? root?

Re: Permissions on passwd command

Mark Vollmers — Mon, 27 Aug 2001 18:28:39 GMT

Dominic-

You should always be able to run the passwd command from the prompt for your account (If I am logged in, I can always run it to change my password). If you can't run it, then the permissions on it must have been changed so that all users cannot execute it. The permissions on /bin/passwd should be r-sr-xr-x

Mark

Re: Permissions on passwd command

Stéphane Gauthier — Mon, 27 Aug 2001 18:35:01 GMT

Mark,

I can change my password with the command passwd, but I'm not able to change the password for other account ; That's what I need.

Re: Permissions on passwd command

linuxfan — Mon, 27 Aug 2001 19:06:49 GMT

Hi Dominic,

Only root can change a user's password without knowing the old password. If you want a user to be able to change another user's password without knowing the old password, you will have to use something like sudo without having to give away root's password.

-Ramesh

Re: Permissions on passwd command

Mark Vollmers — Mon, 27 Aug 2001 19:27:50 GMT

The only way that I can think of would be to write a script that would su to root and run the passwd command. You would have to write in the root password in the file, which can have it's own problems. A downside to this is that giving your users the ability to change each others password also means that they can change the root password. It also seems like a huge security issue to have them able to change each others. Why exactly are you doing this (file permissions, etc)?

Mark

Re: Permissions on passwd command

James R. Ferguson — Mon, 27 Aug 2001 19:50:53 GMT

Hi Dominic:

First, it is the 'setuid' bit, not the 'sticky' bit that is set for the 'passwd' executable. Since 'passwd' is owned by root, when run it runs *as* root.

The issue with 'passwd' or any wrapper that you would surround it with, is that 'passwd' calls 'getlogin()' to retrieve the name of the user currently logged in on the terminal associated with the calling process.

The rules of engagement for 'passwd' is that you must be the root user to change the password of other than your own account.

Beyond that, it would be a gross security risk to allow anyone other than root to change passwords of accounts.

Regards!

...JRF...

Re: Permissions on passwd command

Bill Thorsteinson — Mon, 27 Aug 2001 21:00:38 GMT

If you really want to allow users to do something
like this, and I agree that it can be a gapping security
hole, try suidperl. It does a lot of environment
cleaning to help redude the risk of suid scripts.

I assume this is for a support group that you want
this functionality. Using sudo is much simpler, but
won't give you the flexibility you can build into a script.
Design and test the script carefully. This can be a
major security hole if you don't get it right.

A few things the script should do:
- Prevent changing the root password, and that
of users of this utility.. (Should
problably limit password changes to users
in a limited number of groups like users)
- Limit who can run the script. (Check for users
in a specific list or members of a specific group.)
- Log all password changes, but not the passwords.
(who, when, what, your uses shouldn't be able
to change the log file.)
- If you have multiple user groups you might
want to allow authorized users to change passwords
for other members of their group.

Re: Permissions on passwd command

Stéphane Gauthier — Tue, 28 Aug 2001 11:51:21 GMT

Hi Bill,

Yes, This is for the support group, not for all users...

Thank you everybody for your help, I will install sudo. That the most safety way!

Regards,

Dominic