Resetting passwords of other users without being Root

Julix · 08-15-2007, 02:56 PM

Hi Everyone,
I am a newbie

and have recently installed Linux at home, although right now it is only for testing purposes I want to set it up as a multiuser system and I would like to know if there is a way to reset passwords of other users without being Root and without using SUDO. I mean like setting up a user group with that privilege only and then connect User IDs to that group who should reset the password of other users.
Sorry if this question may have been posted on another forum but I have looked around and couldn't find an answer.
Thanks,
Julix

slakmagik · 08-15-2007, 03:15 PM

This is not possible. Well, not possible in any sane way. I'm not sure what effect creating a 'password_editor' group, making /etc/passwd and so on owned by that group, and making it group-writable would have, but it's not anything you want or need.

jonlake · 08-15-2007, 03:29 PM

This is exactly what sudo is designed for. To allow normal users to do things that is usually reserved for root. You can specify a group that has access to only the passwd command to reset passwords. The only downfall to this is that this particular user could probably sudo passwd root and reset the root password.

Julix · 08-15-2007, 04:01 PM

Thank you Digiot and Jonlake, both point of views make sense. Basically what I want to archive is that a user with that the user with this privilege don't has put sudo everytime a password needs to be reset for a user. So if I setup the user ID with SUDO for password reset there is no way to avoid that the root password can also be reset by this particular user?

jonlake · 08-15-2007, 05:02 PM

Something like this would work

Code:

#!/bin/bash
# users run this command as sudo script user
if [ "$1" = 'root' ]; then 
  echo "You cannot change the root password!!"
  exit
else 
  passwd $1
fi

and give them sudo to this command. I am just guessing that this would work, I'm not at a linux box right now to test.

I did a little bit of searching to see if there was a pam module or something to avoid someone running sudo passwd root, but I haven't found anything.

jschiwal · 08-15-2007, 05:19 PM

You can configure sudo to use the users password. This is the way Fedora Core and other distro's do it by default. The passwd program is suid, and allows a user to change their own password. If you have a simple script that calls the passwd program and resets the password, you can edit sudo so that a member of a particular group and execute that script (and only that script) as root without a password. The /etc/sudoers file has a commented example for mounting cdroms. You could base your command on that. A script could take the username or uid as an argument.

Sudo is used to delegate certain tasks that require root access without sharing the root password. You don't want just any user to be able to reset another's password. That would allow them to reset someone else's password and then log in as that user.

Julix · 08-17-2007, 05:30 PM

Hi All,

thanks a lot for all your assistance. I like the idea of using a script for this and give sudo permission to it. I will try setup one and see if it´s working