HPE Community
Operating System - HP-UX
1829553 Members
2076 Online
109992 Solutions
New Discussion

Re: can sudo users change the root password?

 
praveen..
Super Advisor

‎06-08-2006 10:57 PM

‎06-08-2006 10:57 PM

can sudo users change the root password?

Hi,
I have added these lines in sudoers files:

User_Alias FULLSUDO = sestj , serab, sebos, seglb, searj, semab, sejos, prkeg

FULLSUDO ALL=(root) NOPASSWD: ALL

please let me know are these users (sestj , serab, sebos, seglb, searj, semab, sejos, prkeg) able to run all the commands including #passwd command (to change the root password)

can they change the root password?

thanks
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎06-08-2006 11:09 PM

‎06-08-2006 11:09 PM

Re: can sudo users change the root password?

Shalom,

They should not be able to change the root password.

Don't take my word for it.

Log in as root

su - seastj

passwd root

If it lets you do it, modify the configuration.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎06-09-2006 12:00 AM

‎06-09-2006 12:00 AM

Re: can sudo users change the root password?

Yes they can. You have granted them the permission to assume full root privileges through sudo, so they can do absolutely anything.

There is no technical way on a normal HP-UX to prevent anyone with full root privileges from changing the root password.

Try it out:

# su - sestj
sestj$ sudo -u root /bin/passwd root
or
sestj$ sudo -u root /sbin/passwd root
(changing the root password without prompting for the previous one)

sestj$ sudo -u root vipw
(editing the password file directly)

sestj$ sudo -u root vi /tcb/files/auth/r/root
(editing the Trusted System password file for root, perhaps substituting the password hash with their own, effectively changing the password)

sestj$ sudo -u root -s
(getting a root shell)
MK
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎06-09-2006 12:12 AM

‎06-09-2006 12:12 AM

Re: can sudo users change the root password?

Praveen,

When performing the following you'll need to know the old password:
sudo -u root /bin/passwd root
Changing password for root
Old password:

But when they have sudoall rights, they can change the root passwd via "vi".

Darrel
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-09-2006 12:17 AM

‎06-09-2006 12:17 AM

Re: can sudo users change the root password?

Actually, you configured FULLSUDO users to destroy anything on your system including changing the root password. The entry:

FULLSUDO ALL=(root) NOPASSWD: ALL

The word ALL means that every command in the computer can be run by these users (not a good idea at all!). You should explicitly list the allowed commands on that line, and any command that is not listed will not be allowed. In fact, any FULLSUDO user that tries to run a disallowed command will have their failed attempt logged.


Bill Hassell, sysadmin
0 Kudos
Reply
Marvin Strong
Honored Contributor

‎06-09-2006 05:49 AM

‎06-09-2006 05:49 AM

Re: can sudo users change the root password?

Yes you basicly just gave them the keys to the castle. They can do whatever they want.

I would follow Bill's suggestion and specify every command you want them to have access too.

In the case of them needing the majority of the commands you could also take away commands you don't want them to have access too. How to do this is fully documented in the sudo documentation.

Also be careful when allowing commands, allowing any shell or editor, provides a means to get more access than they may normally be allowed. There are alot of commands that you have to be careful of shells and editors are just a quick example.



0 Kudos
Reply
Rick Garland
Honored Contributor

‎06-09-2006 06:06 AM

‎06-09-2006 06:06 AM

Re: can sudo users change the root password?

If these users can become root on the system via sudo, they can change the root passwd.

In fact, they will have total access just being a root user.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.