LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   change password without knowing current password (http://www.linuxquestions.org/questions/linux-security-4/change-password-without-knowing-current-password-646671/)

powah 06-03-2008 09:29 AM

change password without knowing current password
 
After logging as root, how to change the password for the user "admin: without knowing its current password?

# /usr/bin/passwd admin
Changing password for user admin.
Changing password for admin
(current) password:
passwd: Authentication token manipulation error

marXtevens 06-03-2008 09:42 AM

Changing Password
 
It would help (me) to have a couple of items of information:
  1. Version of Linux (Slackware, Ubuntu, Fedora).
  2. egrep 'root|admin' /etc/passwd
  3. Are you running SELinux?

You might also wish to look at the following:
http://www.linuxquestions.org/questi...on-error-2813/

... Mark

powah 06-03-2008 01:29 PM

Quote:

Originally Posted by marXtevens (Post 3173278)
It would help (me) to have a couple of items of information:
  1. Version of Linux (Slackware, Ubuntu, Fedora).
  2. egrep 'root|admin' /etc/passwd
  3. Are you running SELinux?

You might also wish to look at the following:
http://www.linuxquestions.org/questi...on-error-2813/

... Mark

Fedora Core 6 : kernel 2.6.18-1.2798.fc6

# egrep 'root|admin' /etc/passwd
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:root:/root:/usr/comp/lush/lush
operator:x:11:0:operator:/root:/sbin/nologin

How to find out whether SELinux is installed or running?

trickykid 06-03-2008 02:04 PM

My question is, Why do you have a user called admin with the same uid as root? That's just bad and opens this machine up to all kinds of security related issues. I'd like to know the reason behind this, if any? If it's for some application, I'd talk to the developers to rethink how they need to develop such application without needing an active account with root power across the whole system.

And you're probably getting the manipulation token error cause you have two uid's with the same value.

Bad bad bad.. in my opinion. When root changes a password, it usually will not prompt for the existing password, root is god, don't create other accounts with same UID as root with 0.

powah 06-03-2008 02:28 PM

Quote:

Originally Posted by trickykid (Post 3173552)
My question is, Why do you have a user called admin with the same uid as root? That's just bad and opens this machine up to all kinds of security related issues. I'd like to know the reason behind this, if any? If it's for some application, I'd talk to the developers to rethink how they need to develop such application without needing an active account with root power across the whole system.

And you're probably getting the manipulation token error cause you have two uid's with the same value.

Bad bad bad.. in my opinion. When root changes a password, it usually will not prompt for the existing password, root is god, don't create other accounts with same UID as root with 0.


The admin account is a quick and dirty way to execute some privileged commands.
Besides using "sudo", are there alternatives?

marXtevens 06-03-2008 03:55 PM

More Than One root? Not a Good Idea.
 
Quote:

Originally Posted by powah (Post 3173502)
Fedora Core 6 : kernel 2.6.18-1.2798.fc6

# egrep 'root|admin' /etc/passwd
root:x:0:0:root:/root:/bin/bash
admin:x:0:0:root:/root:/usr/comp/lush/lush
operator:x:11:0:operator:/root:/sbin/nologin

How to find out whether SELinux is installed or running?

Having more that one username with the same userid is a dangerous activity, especially for root. Hence the purpose of sudo. To allow some people to run some commands that they could not otherwise use, AND track their use of sudo and the things they did (if you have accounting running (pacct)).

As root run the following:
if [ -e `which selinuxenabled` ] ; then `which selinuxenabled` ; if [ $? -eq 0 ] ; then echo "SELinux enabled" ; else echo "SELinux disabled" ; fi; else echo "SELinux not installed"; fi

Below is a really good tutorial on setting up sudo.
http://www.onlamp.com/pub/a/bsd/2002...y_Daemons.html

... Mark

trickykid 06-05-2008 02:30 PM

Quote:

Originally Posted by powah (Post 3173578)
The admin account is a quick and dirty way to execute some privileged commands.
Besides using "sudo", are there alternatives?

Might be quick and dirty but add in insecure as well. You can easily implement sudo to run what you need without passwords, etc. If you're going to run a user with the UID of 0, basically making it another root user, you might as well just login and use root, there's no difference in what your doing except possibly security through obscurity, which never works and is not fool proof.

i92guboj 06-06-2008 11:17 PM

Quote:

Originally Posted by trickykid (Post 3175854)
Might be quick and dirty but add in insecure as well. You can easily implement sudo to run what you need without passwords, etc. If you're going to run a user with the UID of 0, basically making it another root user, you might as well just login and use root, there's no difference in what your doing except possibly security through obscurity, which never works and is not fool proof.

Obscurity? The username is "admin" hehehehehe. So, nor even that.

Use sudo. By deleting the admin user you will also fix the "problem" that you created and this thread will be solved as well.

trickykid 06-11-2008 01:21 PM

Quote:

Originally Posted by i92guboj (Post 3177241)
Obscurity? The username is "admin" hehehehehe. So, nor even that.

Well, anyone in the Unix world all know root is god. I've seen plenty of accounts created as admin that aren't necessarily given anything close to root privileges. When I think of admin or administrator, I think of Windows.

i92guboj 06-11-2008 11:29 PM

Quote:

Originally Posted by trickykid (Post 3181736)
Well, anyone in the Unix world all know root is god. I've seen plenty of accounts created as admin that aren't necessarily given anything close to root privileges. When I think of admin or administrator, I think of Windows.

Sure. But regardless, I don't think I am wrong if I say that 100% of the dictionary based attacks will try that word on an early stage. It's not that uncommon, and even if it can't guarantee root access, it's a good start.

Believe me, someone that short sighted as to set an user account called "admin" with a weak password that can be cracked, has probably made much more errors that will make the system vulnerable enough if you get to log with that user.

There's no obscurity in using "admin" as an user or root account as there's no obscurity in using an account name named "Joseph" either and putting your ID number as a password. But that's what a lot of people do. So, it's doesn't really matter if the "admin" user has root privileges or not (that's just a bonus that the eventual attacker will find and enjoy). The point is that, as you said, there's a lot of people that use "admin" for one purpose or another. So, it's a very common name to find on a name generator, and even in dictionaries for passwords (yeah, some people is that way).

As long as it's on the dictionary or it's close enough, there's no obscurity at all, because attackers don't care about what the user name is supposed to be. They can try lots of times on lots of computers, and the ip banning is not invulnerable. When it comes to security the best you can do is to put as many layers as possible in the middle.

That's why admins use tools like johntheripper to check the integrity of the passwords. A weak password is a way for an attacker to get into the system. Once you are there, if you are smart enough you can wait, watch, and find a way to scale privileges.

nx5000 06-12-2008 04:45 AM

Not really on topic ...
Quote:

Originally Posted by marXtevens (Post 3173687)
Having more that one username with the same userid is a dangerous activity, especially for root

Quote:

Originally Posted by trickykid
My question is, Why do you have a user called admin with the same uid as root? That's just bad and opens this machine up to all kinds of security related issues.

Like what kind of security problem?

I have some machines here that have this.. hum.. feature.. And i vaguely remember that this is not good habit but more precisely what's the risk?

I'm not the admin but the admin created me this kind of UID 0 account. He said he doesn't want to install any packages.. like sudo... :) As I can now change he's root password, that's not very logical but that's not the point, I just want to know the real risk of having two same UID 0.

Thanks!

irusvirus 08-10-2012 11:34 AM

sudo passwd
 
If you don't remember your password you might try to reset it using sudo passwd
All the best.
Íris

i92guboj 08-11-2012 02:11 PM

Quote:

Originally Posted by nx5000 (Post 3182377)
Like what kind of security problem?

Two (or N) users with the same UID is truly better worded as "one user". For linux, users with the same UID are the same user, no matter if they have different passwords, homes or whatever else.

The file ownerships are stored by UID, not by user name. That means that any file belonging to a given UID will effectively belong to any number of users which have that same UID.

I will remind you that, in linux (and in generanl, in any POSIX OS) everything is a file, including device nodes, network sockets, pipes (you can start seeing what the implications are, aren't you?).

In other words: if "admin" is the same UID than "root", then "admin" IS "root". Effectively, handling the "admin" user the "root" password would be easier, and would save you one line in the passwords file. There are a few corner cases when this "feature" as you call it can be useful (or so some people think), but if you are asking here you are probably in one of those rare cases.

Anyway, read this, concretely 4.1.2.

http://www.diablotin.com/librairie/n...is/ch04_01.htm

Wim Sturkenboom 08-12-2012 12:31 PM

This thread is 4 years old.

Shahid nx 10-04-2012 05:05 AM

If you go to a command line as root, you can change a users password by
issuing the following:
passwd username
You will be prompted for a new password for the user without asking current password.


All times are GMT -5. The time now is 08:13 PM.