HPE Community
Operating System - HP-UX
1831635 Members
1676 Online
110027 Solutions
New Discussion

Forbit to change root's PW with sudo

 
Thamm
Occasional Advisor

‎08-26-2003 10:28 PM

‎08-26-2003 10:28 PM

Forbit to change root's PW with sudo

Hi,
we have started to introduce sudo on our servers.
We are using the strategy to give every group of sudo users "ALL" permissions and dissallow some commands.

Here is an extract of the sudoers-file to make this way clear:

User_Alias TEAM1=%team1
.
.
.
Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown,/sbin/shutdown
.
.
.
TEAM1 ALL=ALL,!SHUTDOWN

Now I would allow/disallow some sudo-groups:
to change the passwort of all users but not the passwort of the root user by using the "passwd" command.

Do you have suggestions how to do this?

Thanks in advance,

Stefan.
0 Kudos
Reply
2 REPLIES 2
Chris Wilshaw
Honored Contributor

‎08-26-2003 11:56 PM

‎08-26-2003 11:56 PM

Re: Forbit to change root's PW with sudo

You'd need to write a wrapper script to call the passwd command in order to validate the ID before trying to apply the change

eg:

#!/usr/bin/sh

ID=$1

if [ "$ID" = "root" ]
then
echo "You are not authorised to change the password for this ID".
exit 1
fi

passwd $ID

0 Kudos
Reply
Michael Tully
Honored Contributor

‎08-27-2003 12:15 AM

‎08-27-2003 12:15 AM

Re: Forbit to change root's PW with sudo

I think the best method (sticking with sudo) is differntiate the groups of people. Have a look at the examples here and see what you think. You can restrict doing this directly from the sudoers file.

http://www.courtesan.com/sudo/man/sudoers.html#examples
Anyone for a Mutiny ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.