HPE Community
Operating System - HP-UX
1831266 Members
2862 Online
110022 Solutions
New Discussion

Permissions on passwd command

 
SOLVED
Go to solution
Stéphane Gauthier
Advisor

‎08-27-2001 10:23 AM

‎08-27-2001 10:23 AM

Permissions on passwd command

Hi folks,
My guys need to use the passwd command whitout root account. I try to make a shell script, a C script and set the sticky bit. But I got every time Permission denied. I don't want to use sudo or restricted sam. My guys need to operate at the command line. thanks!
0 Kudos
Reply
8 REPLIES 8
Christopher McCray_1
Honored Contributor

‎08-27-2001 10:28 AM

‎08-27-2001 10:28 AM

Re: Permissions on passwd command

Are you trying to give your people the ability to change other peoples accounts? root?
It wasn't me!!!!
0 Kudos
Reply
Mark Vollmers
Esteemed Contributor

‎08-27-2001 11:28 AM

‎08-27-2001 11:28 AM

Re: Permissions on passwd command

Dominic-

You should always be able to run the passwd command from the prompt for your account (If I am logged in, I can always run it to change my password). If you can't run it, then the permissions on it must have been changed so that all users cannot execute it. The permissions on /bin/passwd should be r-sr-xr-x

Mark
"We apologize for the inconvience" -God's last message to all creation, from Douglas Adams "So Long and Thanks for all the Fish"
0 Kudos
Reply
Stéphane Gauthier
Advisor

‎08-27-2001 11:35 AM

‎08-27-2001 11:35 AM

Re: Permissions on passwd command

Mark,

I can change my password with the command passwd, but I'm not able to change the password for other account ; That's what I need.
0 Kudos
Reply
linuxfan
Honored Contributor

‎08-27-2001 12:06 PM

‎08-27-2001 12:06 PM

Re: Permissions on passwd command

Hi Dominic,

Only root can change a user's password without knowing the old password. If you want a user to be able to change another user's password without knowing the old password, you will have to use something like sudo without having to give away root's password.

-Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Mark Vollmers
Esteemed Contributor

‎08-27-2001 12:27 PM

‎08-27-2001 12:27 PM

Re: Permissions on passwd command

The only way that I can think of would be to write a script that would su to root and run the passwd command. You would have to write in the root password in the file, which can have it's own problems. A downside to this is that giving your users the ability to change each others password also means that they can change the root password. It also seems like a huge security issue to have them able to change each others. Why exactly are you doing this (file permissions, etc)?

Mark
"We apologize for the inconvience" -God's last message to all creation, from Douglas Adams "So Long and Thanks for all the Fish"
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎08-27-2001 12:50 PM

‎08-27-2001 12:50 PM

Re: Permissions on passwd command

Hi Dominic:

First, it is the 'setuid' bit, not the 'sticky' bit that is set for the 'passwd' executable. Since 'passwd' is owned by root, when run it runs *as* root.

The issue with 'passwd' or any wrapper that you would surround it with, is that 'passwd' calls 'getlogin()' to retrieve the name of the user currently logged in on the terminal associated with the calling process.

The rules of engagement for 'passwd' is that you must be the root user to change the password of other than your own account.

Beyond that, it would be a gross security risk to allow anyone other than root to change passwords of accounts.

Regards!

...JRF...
0 Kudos
Reply
Bill Thorsteinson
Honored Contributor

‎08-27-2001 02:00 PM

‎08-27-2001 02:00 PM

Solution

Re: Permissions on passwd command

If you really want to allow users to do something
like this, and I agree that it can be a gapping security
hole, try suidperl. It does a lot of environment
cleaning to help redude the risk of suid scripts.

I assume this is for a support group that you want
this functionality. Using sudo is much simpler, but
won't give you the flexibility you can build into a script.
Design and test the script carefully. This can be a
major security hole if you don't get it right.

A few things the script should do:
- Prevent changing the root password, and that
of users of this utility.. (Should
problably limit password changes to users
in a limited number of groups like users)
- Limit who can run the script. (Check for users
in a specific list or members of a specific group.)
- Log all password changes, but not the passwords.
(who, when, what, your uses shouldn't be able
to change the log file.)
- If you have multiple user groups you might
want to allow authorized users to change passwords
for other members of their group.
Reply
Stéphane Gauthier
Advisor

‎08-28-2001 04:51 AM

‎08-28-2001 04:51 AM

Re: Permissions on passwd command

Hi Bill,

Yes, This is for the support group, not for all users...

Thank you everybody for your help, I will install sudo. That the most safety way!

Regards,

Dominic
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.