LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   sudo access trouble (http://www.linuxquestions.org/questions/linux-security-4/sudo-access-trouble-4175477610/)

slufoot80 09-18-2013 10:15 AM

sudo access trouble
 
Ok what I am trying to do is give a group of users the ability to only lock user accounts with out locking system accounts or root account or my account how do I accomplish this.

below is a copy of my /etc/sudoers look at the line containing "jchander"

Code:

luna:~ # cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification
User_Alias ADMINS = fnowicki

# Cmnd alias specification

# Defaults specification

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
#root  ALL=(ALL) ALL
fnowicki ALL=(ALL) ALL

jchander        ALL=(ALL)      PASSWD: /usr/bin/passwd -l

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)      ALL

# Same thing without a password
# %wheel        ALL=(ALL)      NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Versions I have are

Code:

Sudo version 1.6.8p12
Suse
Linux luna 2.6.16.21-0.8-bigsmp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux


YankeePride13 09-18-2013 10:29 AM

Brainstorming- what about just writing a script to do this?

1)So user executes script with username as a parameter.
2)Script checks to see if user is in list of accounts that shouldn't be locked
3)if it's not in the list, the script executes the passwd program with sudo privledges
4)if i'ts not in the list, the script outputs the error

slufoot80 09-18-2013 10:36 AM

issue now
 
ok here is my issue now

first I don't want him to use the root password I want him to use his own password how do I fix this

Code:

sudo -l
root's password:
User jchander may run the following commands on this host:
    (ALL) /usr/bin/passwd -l
jchander@luna:~> sudo /usr/bin/passwd -l fnowicki
Sorry, user jchander is not allowed to execute '/usr/bin/passwd -l fnowicki' as root on luna.


unSpawn 09-21-2013 03:34 AM

Quote:

Originally Posted by slufoot80 (Post 5030046)
ok here is my issue now

first I don't want him to use the root password I want him to use his own password how do I fix this

Re-read your /etc/sudoers, start at line "# In the default (unconfigured) configuration" and see 'man sudoers'.

Turbocapitalist 09-29-2013 06:43 AM

You need to tell sudo to allow a username after the -l option.

Code:

%jchander ALL=(ALL) PASSWD: /usr/bin/passwd -l [a-z0-9]*

Firerat 09-29-2013 07:03 AM

Quote:

Originally Posted by slufoot80 (Post 5030033)
Ok what I am trying to do is give a group of users the ability to only lock user accounts with out locking system accounts or root account or my account how do I accomplish this.

below is a copy of my /etc/sudoers look at the line containing "jchander"


Code:


jchander        ALL=(root)      PASSWD: /usr/bin/passwd -l [a-z0-9]*, !/usr/bin/passwd -l root , !/usr/bin/passwd -l slufoot

You will want to build that ! (Not) list to include system accounts etc.

better still set specific accounts that they can lock instead of [a-z0-9]*.

chrism01 10-03-2013 08:04 PM

For one specific box, Firerat's lists suggestion (either version) may make sense.
For a more general soln for use on multiple systems, I'd go with the 'write a script' suggestion above and just get it to check a cutoff uid value eg on RHEL based systems, normal user accts start at 500 (other systems start at uid 1000).


All times are GMT -5. The time now is 02:31 PM.