Avoid users to change password

sinchan_ · 10-21-2009, 08:13 AM

Hi

I'm using opensuse and i'm trying that users cannot change his own password (mantaining /bin/bash users active). Do you know how can I do it?

Thanks in advance

Tux-Slack · 10-21-2009, 08:17 AM

Try here:
http://www.linuxquestions.org/questi...ccount-218616/

bathory · 10-21-2009, 08:23 AM

If you want all your user not to be able to change their password, remove the suid bit from /usr/bin/passwd

Regards

sinchan_ · 10-21-2009, 08:40 AM

Thanks for the answers.

I thought to remove the suid, but i readed this in one forum (and i have not very expertise in linux yet):

Use of the SUID bit on binaries (to run with root privileges, aka ”setuid bit”) MUST be limited to those shown in the following list:

/bin/ping
/bin/su
/usr/bin/at
/usr/bin/chage
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd

Is the passwd -n option safer? I think that this 2 options will not change the normal users to other services like subversion, can you please confirm it.

Tux-Slack · 10-21-2009, 08:51 AM

passwd -n option will set you some amount of days, before a user will be able to change his password. If you set to 365, he wont be able to change his password for a year.
If you remove the suid flag from passwd then passwd wont work anymore for any non-root user, but you, as root will still be able to use it.

bathory · 10-21-2009, 08:55 AM

You need the suid bit for passwd in order for the users to be able to change their password, which is the default.
If you for any reason want to deny this feature for all your users, you can safely remove the suid bit.
Else you have to manually enter the expiration day for all of them.
I don't see any reason why prohibiting password change should have any impact on the services you've mentioned.

Regards

sinchan_ · 10-21-2009, 08:56 AM

Then remove the suid seems to be the best option.

Last question, and sorry about my lack of knowledge, command to be used should be chmod -s /usr/bin/passwd ?

best regards

edit: Yes, change the timelimit for all users will be very annoying. It's good to know it to apply this for one or two users. ty

bathory · 10-21-2009, 08:59 AM

Yes, chmod -s should do the job

Cheers

sinchan_ · 10-21-2009, 09:45 AM

I used the chmod -s but it didnt worked :S

Finally I found a solution that worked, set permissions as 754 (removing X from others)

cheers

bathory · 10-21-2009, 11:31 AM

What you mean by "it didn't work". Just tested on an openSUSE 10.3 box and it doesn't allow the user to change his password. In fact it gives "Authentication failure" when user enters the old password in order to change it.

sinchan_ · 10-21-2009, 02:48 PM

i found the error. My user was on root group :S
removing it from root group also resolved the problem

Thanks 4 help