HPE Community
Operating System - HP-UX
1752797 Members
5587 Online
108789 Solutions
New Discussion юеВ

Re: passwd change..

 
vas_3
Advisor

тАО05-31-2009 11:46 PM

тАО05-31-2009 11:46 PM

passwd change..

HI all,

I have one basic question regarding passwd change of users.
How user can use 'passwd' command?.I mean how user are able to change their passwd?.They can't edit the /etc/passwd and /etc/shadow files..

Regards,
Sri.
0 Kudos
10 REPLIES 10
Dennis Handly
Acclaimed Contributor

тАО05-31-2009 11:48 PM

тАО05-31-2009 11:48 PM

Re: passwd change..

passwd has setuid root and root can change those files.
0 Kudos
Sajjad Sahir
Honored Contributor

тАО05-31-2009 11:50 PM

тАО05-31-2009 11:50 PM

Re: passwd change..

Dear vas

no user can't edit that files only superuser
i mean root can do it

thanks and regard

Sajjad Sahir
0 Kudos
vas_3
Advisor

тАО05-31-2009 11:55 PM

тАО05-31-2009 11:55 PM

Re: passwd change..

Hi Sahir,

Users r using 'passwd' cmd for changing the passwd.That means they r indirectly editing the shadow files right.

Regards,
Sri.
0 Kudos
avizen9
Esteemed Contributor

тАО05-31-2009 11:55 PM

тАО05-31-2009 11:55 PM

Re: passwd change..

Hello,
basically
only root user able to change, however you can assign sudo access to modify /etc/passwd and /etc/shadow files to any non-root user. thanks,
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО06-01-2009 12:10 AM

тАО06-01-2009 12:10 AM

Re: passwd change..

>Users are using passwd(1) for changing passwd(4). That means they are indirectly editing the shadow files right?

Yes, but really root is editing those files.
0 Kudos
Sajjad Sahir
Honored Contributor

тАО06-01-2009 12:46 AM

тАО06-01-2009 12:46 AM

Re: passwd change..

Dear Vas

Ordinary users can only change passwords corresponding to their login name. If an old password has been established, it is requested from the user. If valid, a new password is obtained. Once the new password is entered, it is determined if the old password has "aged" sufficiently. If password aging is not sufficient, the new password is rejected and passwd terminates.

If password aging and construction requirements are met, the password is re-entered to ensure consistency. If the new copy differs, passwd repeats the new password prompting cycle, at most twice.

A superuser, whose effective user ID is zero, is allowed to change any password and is not forced to comply with password aging. Superusers are not prompted for old passwords, unless they are attempting to change a superuser's password in a trusted system. On untrusted systems, superusers are not forced to comply with password construction requirements. Null passwords can be created by entering a carriage return in response to the prompt for a new password.

For the files (local system) repository, if no /etc/shadow file exists, then the encrypted password is stored in the password field of /etc/passwd. If the /etc/shadow file exists, then the encrypted password is stored there, and an 'x' is added to the password field of /etc/passwd.

Please remember don't allow any non root users to play with /etc/shadow and /etc/passwd files.


thanks and regards

Sajjad Sahir

0 Kudos
vas_3
Advisor

тАО06-01-2009 01:10 AM

тАО06-01-2009 01:10 AM

Re: passwd change..

Sorry..i think i confused you..

I attended one interview in that they asked me this question.

We know that users canot edit /etc/passwd and /etc/shadow files.But by using 'passwd' cmd they can change their password.
is there any background process or deamon for doing this?.
I know that root user can change any user passwd.
Regards,
Sri
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО06-01-2009 01:26 AM

тАО06-01-2009 01:26 AM

Re: passwd change..

>But by using passwd cmd they can change their password. is there any background process or deamon for doing this?

As I said above, when you run any setuid root program, you become root and it can edit those files.
The only "demon" might be the NIS process on the NIS server. For "-r nis".
0 Kudos
Bill Hassell
Honored Contributor

тАО06-01-2009 09:17 AM

тАО06-01-2009 09:17 AM

Re: passwd change..

> We know that users canot edit /etc/passwd and /etc/shadow files.But by using 'passwd' cmd they can change their password.

More accurately stated: We know users cannot run vi or similar program to edit the /etc/passwd file. But as mentioned, the passwd program is a special program that has elevated permission to perform a very specific task: to modify the passwd file on behalf of the user. This is done through permissions given this program that allow it to be run by anyone but be given permission as if it was run by root -- set user-ID or SUID is the common terminology.

> is there any background process or deamon for doing this?.

No. The program does all the work. There are many programs that are configured this way. For instance, chsh allows you to change your shell in the passwd file -- the ll command will show programs that have set userID with the letter "s" in the permissions:

-r-sr-xr-x 5 root bin 53248 Apr 27 2007 chsh

This is standard Unix behavior to allow special privileges with certain commands. Some of the details are shown in the man page for ls.


Bill Hassell, sysadmin
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.