Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
1st of all...I'm rather noob when it comes to Linux. I know this may not be what everyone loves to hear especially on the problem that I have so please do guide me and give me a chance to learn. (No trolls and haters please...) Now...moving on to the question proper.
My customer wants to use a normal user account to change root account password and ONLY this rights is to be give to this user account. Yes...I know is rather pointless and also the risks of giving that user account the right to change the root password and I have cautioned the risks to my customer. They told me that the normal user account is only accessed by a password management software which the software will SSH into the linux using the normal user account and change the root account password. Only administrators of the software have access to the software itself so the risks are kept minimal. Well, they are my customer so I will have to trust what they said and do what they want (afterall...is their infra).
There are 2 main reasons why my customer wants to grant the normal user account the right to change the root account password:
1. They are not comfortable in creating another uid=0 account, which is another root account
2. The password management software is only able to recognize the "passwd" command and not others (like "sudo passwd <username>" and etc...
I have tried in my own test linux lab logging in as a normal user and input this command: "passwd root" and it returned this error: "passwd: Only root can specify a user name."
Now, since the password management software only recognizes the "passwd" command, I like to know the following:
1. Is there really a way to let a normal use account to ONLY have the rights to change the root account?
2. If yes, is it done through editing the sudo file or is there any other method to achieve this?
3. How can I edit the sudo file so that the normal user account is able to change the root password just by executing the "passwd root" command or whatever command to achieve this?
If the answer to question 3 is yes, then I really hope that you guys can provide me the command or a step-by-step guide as I'm really a noob when it comes to linux but I need to get this done for the customer as it is really urgent.
I appreciate and thanks in advance for any help that is given to assist me on this and sorry for this long question. In the meantime, I will paste what I have in my sudo file here:
Code:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Last edited by Digistras; 07-28-2014 at 02:17 PM.
Reason: Wrap code
directly in a terminal. That will create a file named .bash_profile in the current directory, containing the line
Code:
'alias passwd="sudo passwd"'
Then after you restart the terminal, whenever it receives "passwd", it will automatically convert that to "sudo passwd". In this paragraph, code tags were used in two places, resulting in the different formatting.
No matter how many times I read this I get. If a normal user has access to change root password then they are in every respect a root user.
It may be possible to have some encrypted file with a pre-made list of passwords that could be inserted but any user with access to root password is root.
Yeah, he's aware of it. But given whatever backward circumstances requires this, the above will work.
Quote:
My customer wants to use a normal user account to change root account password and ONLY this rights is to be give to this user account. Yes...I know is rather pointless and also the risks of giving that user account the right to change the root password and I have cautioned the risks to my customer. They told me that the normal user account is only accessed by a password management software which the software will SSH into the linux using the normal user account and change the root account password. Only administrators of the software have access to the software itself so the risks are kept minimal. Well, they are my customer so I will have to trust what they said and do what they want (afterall...is their infra).
I was saying that it might be possible to create a set of passwords that the customer doesn't know. I haven't exactly figured out how to get that to work but that was where I was going. Maybe a one time use deal or time based deal that some remote admin knows.
Give that user a private "bin" directory and make sure it comes before the system directories in that user's PATH. In that directory, put an executable script named "passwd" containing:
Code:
#!/bin/sh
if [ $# = 1 -a "$1" = root ]; then
sudo /usr/bin/passwd root
else
/usr/bin/passwd "$@"
fi
Then edit /etc/sudoers to allow that specific command and argument to run without requiring a password.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.