HPE Community
Operating System - HP-UX
1847485 Members
3642 Online
110265 Solutions
New Discussion

Execution with ACL

 
SOLVED
Go to solution
Henry Llerena
Occasional Contributor

‎07-09-2004 08:59 AM

‎07-09-2004 08:59 AM

Execution with ACL

Hi,

Does somebody know if could configure the acl so that could a common user change the password of another using the passwd command ?

Thanks
Henry
0 Kudos
Reply
3 REPLIES 3
Cesare Salvioni
Trusted Contributor

‎07-09-2004 09:25 AM

‎07-09-2004 09:25 AM

Re: Execution with ACL

No way but having writing right on /etc/passwd .
Reply
Sundar_7
Honored Contributor

‎07-09-2004 09:34 AM

‎07-09-2004 09:34 AM

Solution

Re: Execution with ACL

Henry,

Nope. ACL cannot be used by a common user to change the password of another user.

/usr/bin/passwd binary already has SUID enabled. It is the checks inside the passwd binary that lets only root to change the password of other users.

You can write a small C program with calls to setuid() and then invoke passwd command.

Sundar
Learn What to do ,How to do and more importantly When to do ?
Reply
Sundar_7
Honored Contributor

‎07-09-2004 10:41 AM

‎07-09-2004 10:41 AM

Re: Execution with ACL

Try this

root> cat /usr/local/bin/pex.c
#include
#include
main(argc,argv)
int argc;
char *argv[];
{
setuid(0);
execl("/usr/bin/passwd","passwd",argv[1],0);
}
#

# cc /usr/local/bin/pex.c -o /usr/local/bin/passex
#

root> cat /usr/local/bin/passchg.sh
#!/usr/bin/sh
USER=$1
grep -n "$USER$" /etc/NOTALLOWED >/dev/null 2>&1
if [ $? -eq 0 ]
then
echo "You are not allowed to change the password for $USER"
exit 1
fi

/usr/local/bin/passex $USER
root>

root> chmod 4755 /usr/local/bin/passchg.sh

root> cat /etc/NOTALLOWED
root
root>

Remember this is a strict NO-NO in security world :-) but if you have to do it then there is one more way

execute sam with -r option and authorize the user(s) to run only the "Accounts for users and groups" section
Learn What to do ,How to do and more importantly When to do ?
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.