LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices

Reply
 
Search this Thread
Old 09-25-2013, 04:40 AM   #1
rajini23
Member
 
Registered: Sep 2011
Posts: 152

Rep: Reputation: Disabled
Smile wants to provide sudo access


Hi,

I wants to provide sudo access for the user to reset only "passwords" for all the users in that server. i User Redhat5 server...
 
Old 09-25-2013, 07:36 AM   #2
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
in /etc/sudoers
Code:
<username> <Machine> = (root) /usr/bin/passwd
for example, yourself from any networked Machine

Code:
rajini23 ALL = (root) /usr/bin/passwd
more information can be found in the sudoers man page
Code:
man sudoers
 
Old 09-25-2013, 09:24 AM   #3
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,775

Rep: Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614
Quote:
Originally Posted by rajini23 View Post
Hi,
I wants to provide sudo access for the user to reset only "passwords" for all the users in that server. i User Redhat5 server...
You've been asking about sudo for over a year now:
http://www.linuxquestions.org/questi...do-4175414585/

Have you made no progress in your learning since your first question? And you do realize what you're asking for is pointless, right?? Because if you give a user you don't trust with OTHER root commands the ability to change root's password, you have essentially given them FULL ACCESS TO THE SYSETM, whenever they want it. They can just run "sudo passwd root", put in a new password, then log in AS ROOT. From there, they can remove ALL traces of what they did, and do whatever they want...including editing the sudoers file, creating new root-level users, etc.
 
Old 09-25-2013, 09:38 AM   #4
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
good point

Code:
<username> <location> = (root) /usr/bin/passwd <username1>,/usr/bin/passwd <username2>,/usr/bin/passwd <username3>
restricts to three 'named' usernames

Last edited by Firerat; 09-25-2013 at 09:40 AM. Reason: passwd !password
 
Old 09-25-2013, 10:03 AM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,775

Rep: Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614
Quote:
Originally Posted by Firerat View Post
good point
Code:
<username> <location> = (root) /usr/bin/passwd <username1>,/usr/bin/passwd <username2>,/usr/bin/passwd <username3>
restricts to three 'named' usernames
Yep...or you could do:
Code:
<user ID/alias> ALL=NOPASSWD: /usr/bin/passwd, !/usr/bin/passwd root
...which will let them change anyone ELSES passwd but root. Still, though...horribly insecure, and if you don't trust the user to do other root functions, giving them ANY root privileges at all is risky.
 
Old 09-25-2013, 10:09 AM   #6
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,592
Blog Entries: 2

Rep: Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047Reputation: 4047
Quote:
Originally Posted by TB0ne View Post
Yep...or you could do:
Code:
<user ID/alias> ALL=NOPASSWD: /usr/bin/passwd, !/usr/bin/passwd root
...which will let them change anyone ELSES passwd but root. Still, though...horribly insecure, and if you don't trust the user to do other root functions, giving them ANY root privileges at all is risky.
1. I don't see any reason to use the NOPASSWD option.
2. The whole point of using sudo is to give a user only some privileges that usually belong to root. May you please explain why this is horribly insecure?
 
Old 09-25-2013, 10:33 AM   #7
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,775

Rep: Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614
Quote:
Originally Posted by TobiSGD View Post
1. I don't see any reason to use the NOPASSWD option.
Well, that was the option I had in the example I posted. No real REASON to, and it's totally optional.
Quote:
2. The whole point of using sudo is to give a user only some privileges that usually belong to root. May you please explain why this is horribly insecure?
To me (and I'm fully prepared to admit I may be paranoid about such things), is that the above setup will let the user change ANYONE'S password, except root. If another user is in the sudoers file with more access, the user can now log in as THEM, get a root shell/run other commands, and have a field day. There may be others users set up as group 0 (I know...but it COULD happen), and the same applies.

I *NEVER* give sudo rights to ANYONE for ANYTHING, unless I know I can trust them on the system. It does create more work at times, but keeps me from having to undo damage and answer questions to auditors...I feel it's worth the tradeoff.
 
Old 09-25-2013, 11:46 AM   #8
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 546

Rep: Reputation: Disabled
thats correct ...why and what matters a much here than too just simply opting for a NOPASSWD option to change anyone else's password.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
visudo? I need to provide sudo access to Oracle User rohit724 Linux - Newbie 2 12-09-2010 10:25 AM
provide scp access without ssh lothario Linux - Networking 2 04-06-2008 06:15 PM
unable to provide access to windows computer prashsharma Linux - Networking 9 09-20-2007 07:47 PM
how to provide sudo access mokku Linux - Newbie 1 09-12-2007 02:09 PM
open_basedir - how do I provide limited access to other directories? benbroad Linux - Software 4 12-08-2004 06:07 AM


All times are GMT -5. The time now is 02:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration