Operating System - HP-UX
1748276 Members
4005 Online
108761 Solutions
New Discussion

sudoer question - trying to set user to only be allowed to issue one command

 
John Jimenez
Super Advisor

sudoer question - trying to set user to only be allowed to issue one command

I only want to script and give a user the ability to reset  passwords of other users.   I am testing with a simple script which run only two passwd commands to reset user2.

 

Of course when I set sodoers up the script the simple script works.

user1        ALL=NOPASSWD: ALL

 

But I do not want to leave it set up as ALL

 

But  when I set  up sodoers  like this, the simple script  prompts for user2 password.     Can anyone see what else needs to be changed to allow someone not to get prompted for password when changes another user with the passwd command?

Helpless        ALL=NOPASSWD: /sbin/passwd

 

 

Hustle Makes things happen
2 REPLIES 2
ManojK_1
Valued Contributor

Re: sudoer question - trying to set user to only be allowed to issue one command

Hi,

I have replied to your similar type question in an another thread.
You can configure RBAC (Role Based Access Control) for achieving this.

Thanks and Regards,
Manoj K
Thanks and Regards,
Manoj K
Matti_Kurkela
Honored Contributor

Re: sudoer question - trying to set user to only be allowed to issue one command

For the NOPASSWD: to work, the command pathname must match exactly to the command that actually gets used.

 

/sbin/passwd is a simplified, statically linked version for single-user mode and other rescue situations, while /usr/bin/passwd is the one with the full functionality.

 

If your script specifies the command simply as "sudo passwd" with no pathname, the default PATH setting will cause the system to use /usr/bin/passwd instead of /sbin/passwd. You can confirm this by looking at the log messages sudo is producing (normally in /var/adm/syslog/syslog.log).

 

Change your sudoers line to:

user1 ALL=NOPASSWD: /usr/bin/passwd

... and try again.

 

Of course RBAC is a valid solution too, but I think it is important to understand what was wrong with your original attempt.

MK