HPE Community
Operating System - HP-UX
1833017 Members
2416 Online
110048 Solutions
New Discussion

Restricting root

 
SOLVED
Go to solution
Global Server Operation
Frequent Advisor

‎11-15-2001 06:02 PM

‎11-15-2001 06:02 PM

Restricting root

Is there a way to give a user access to just reset another user's password and nothing else? If there is such a way, would this user be able to change root's password?
0 Kudos
Reply
8 REPLIES 8
Sanjay_6
Honored Contributor

‎11-15-2001 06:12 PM

‎11-15-2001 06:12 PM

Re: Restricting root

Hi,

I guess if you give a user rstricted access to change the password he should be able to change the password for root also.

Hope this helps.

Regds
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

‎11-15-2001 06:28 PM

‎11-15-2001 06:28 PM

Re: Restricting root

You should be able to set up SAM so that the user has restricted access (see the -r option for SAM), i.e. is able to set passwords.

-Santosh
Life is what's happening while you're busy making other plans
0 Kudos
Reply
Deepak Extross
Honored Contributor

‎11-15-2001 06:37 PM

‎11-15-2001 06:37 PM

Re: Restricting root

I'm not too sure if this is a safe thing to do, but if I had to, I'd write a small wrapper to log the details of the user who invoked it, the time, and the id whose password is attempted to be changed.

Please be aware that providing a facility like this could potentially lead to chaos.
Never underestimate the creativity of your users.
0 Kudos
Reply
Scott Van Kalken
Esteemed Contributor

‎11-15-2001 06:48 PM

‎11-15-2001 06:48 PM

Solution

Re: Restricting root

If you use sam builder

/usr/sbin/sam -r

you can set up a restricted version of sam for a user or a group.

Using a restricted version of sam does not allow you to change the root password, but does allow you to change other passwords (oracle for example).

What I have seen done is a script that uses the passwd command and sudo. This is messy, but it does work. If you use the script option you can have a list of users who are untouchable:

DATE=$(date '+%a %b %d %Y')
FULLDTE=`date`
HOSTNAME=`hostname`
PATH=/bin:/usr/sbin:/opt/sudo/bin:/usr/bin
BOLD=$(tput smso)
NORM=$(tput rmso)
UNTOUCHABLE=/opt/helpdesk/donottouchlist
LOG=/var/adm/helpdesk.log
USERFILE=/etc/passwd

change_pass()
{
read user?"Please enter a username: "
if grep -q $user $UNTOUCHABLE ; then
echo "This user: ${BOLD}$user${NORM} cannot have their password changed."
echo "$FULLDTE \t $LOGNAME \t Illegal ACTION!!!! password change for $user" >> $LOG
echo ; echo
read waiting?"PRESS RETURN TO CONTINUE"
else
sudo -u root /bin/passwd $user
sudo -u root /bin/passwd -f $user
echo "$FULLDTE \t $LOGNAME \t changed password for $user" >> $LOG
fi
}


This does work quite well, but it's a bit messy and requires sudo to be installed.

Scott.
Reply
Marco Paganini
Respected Contributor

‎11-15-2001 06:48 PM

‎11-15-2001 06:48 PM

Re: Restricting root

Hello,

That is a very dangerous operation. You can try to achieve what you want by using 'sudo'. Sudo is an intelligent suid wrapper. You could wrap 'passwd' and forbid 'passwd root'. However, it's like someone else said: Never underestimate the creativity of your users...

Regards,
Paga
Keeping alive, until I die.
Reply
Global Server Operation
Frequent Advisor

‎11-15-2001 06:59 PM

‎11-15-2001 06:59 PM

Re: Restricting root

i know you can use restricting sam, but the user will be able to add, delete, and modify users. The customer is requesting just to reset passwd. Looks like sudo is a good option, but I worry about the vulnerability of root's shell. If user is creative.....
0 Kudos
Reply
Marco Paganini
Respected Contributor

‎11-15-2001 07:13 PM

‎11-15-2001 07:13 PM

Re: Restricting root

Hello again,

I checked here my /etc/sudoers manpage. You can definitely do what you want. You may allow certain users to user certain commands based on regular expressions. This way, you may allow your users to do 'passwd user' as long as 'user' is not root. You can also block in such a way that no other 'passwd' options will be allowed. Coul d be the solution to your problem.

Regards,
Paga
Keeping alive, until I die.
Reply
Darrell Allen
Honored Contributor

‎11-15-2001 07:13 PM

‎11-15-2001 07:13 PM

Re: Restricting root

Hello,

I also believe restricted SAM isn't restrictive enough for this instance. I'd go with sudo though you might try a well written, tightly locked down suid script or program. Just be careful because passwd with root priviledges is a powerful tool.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.