Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Ok what I am trying to do is give a group of users the ability to only lock user accounts with out locking system accounts or root account or my account how do I accomplish this.
below is a copy of my /etc/sudoers look at the line containing "jchander"
luna:~ # cat /etc/sudoers
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# Host alias specification
# User alias specification
User_Alias ADMINS = fnowicki
# Cmnd alias specification
# Defaults specification
# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
# Runas alias specification
# User privilege specification
#root ALL=(ALL) ALL
fnowicki ALL=(ALL) ALL
jchander ALL=(ALL) PASSWD: /usr/bin/passwd -l
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Versions I have are
Sudo version 1.6.8p12
Linux luna 188.8.131.52-0.8-bigsmp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux
Brainstorming- what about just writing a script to do this?
1)So user executes script with username as a parameter.
2)Script checks to see if user is in list of accounts that shouldn't be locked
3)if it's not in the list, the script executes the passwd program with sudo privledges
4)if i'ts not in the list, the script outputs the error
first I don't want him to use the root password I want him to use his own password how do I fix this
User jchander may run the following commands on this host:
(ALL) /usr/bin/passwd -l
jchander@luna:~> sudo /usr/bin/passwd -l fnowicki
Sorry, user jchander is not allowed to execute '/usr/bin/passwd -l fnowicki' as root on luna.
For one specific box, Firerat's lists suggestion (either version) may make sense.
For a more general soln for use on multiple systems, I'd go with the 'write a script' suggestion above and just get it to check a cutoff uid value eg on RHEL based systems, normal user accts start at 500 (other systems start at uid 1000).