LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-18-2013, 10:15 AM   #1
slufoot80
Member
 
Registered: Nov 2011
Posts: 58

Rep: Reputation: Disabled
sudo access trouble


Ok what I am trying to do is give a group of users the ability to only lock user accounts with out locking system accounts or root account or my account how do I accomplish this.

below is a copy of my /etc/sudoers look at the line containing "jchander"

Code:
luna:~ # cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification
User_Alias ADMINS = fnowicki

# Cmnd alias specification

# Defaults specification

# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset

# In the default (unconfigured) configuration, sudo asks for the root password.
# This allows use of an ordinary user account for administration of a freshly
# installed system. When configuring sudo, delete the two
# following lines:
Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification
#root   ALL=(ALL) ALL
fnowicki ALL=(ALL) ALL 

jchander        ALL=(ALL)       PASSWD: /usr/bin/passwd -l

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
Versions I have are

Code:
Sudo version 1.6.8p12
Suse 
Linux luna 2.6.16.21-0.8-bigsmp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux
 
Old 09-18-2013, 10:29 AM   #2
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 167

Rep: Reputation: 35
Brainstorming- what about just writing a script to do this?

1)So user executes script with username as a parameter.
2)Script checks to see if user is in list of accounts that shouldn't be locked
3)if it's not in the list, the script executes the passwd program with sudo privledges
4)if i'ts not in the list, the script outputs the error
 
Old 09-18-2013, 10:36 AM   #3
slufoot80
Member
 
Registered: Nov 2011
Posts: 58

Original Poster
Rep: Reputation: Disabled
issue now

ok here is my issue now

first I don't want him to use the root password I want him to use his own password how do I fix this

Code:
sudo -l
root's password:
User jchander may run the following commands on this host:
    (ALL) /usr/bin/passwd -l
jchander@luna:~> sudo /usr/bin/passwd -l fnowicki
Sorry, user jchander is not allowed to execute '/usr/bin/passwd -l fnowicki' as root on luna.
 
Old 09-21-2013, 03:34 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,532
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by slufoot80 View Post
ok here is my issue now

first I don't want him to use the root password I want him to use his own password how do I fix this
Re-read your /etc/sudoers, start at line "# In the default (unconfigured) configuration" and see 'man sudoers'.
 
Old 09-29-2013, 06:43 AM   #5
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Debian, OS X (bsd)
Posts: 131

Rep: Reputation: 12
You need to tell sudo to allow a username after the -l option.

Code:
%jchander ALL=(ALL) PASSWD: /usr/bin/passwd -l [a-z0-9]*

Last edited by Turbocapitalist; 09-29-2013 at 07:24 AM. Reason: typo
 
Old 09-29-2013, 07:03 AM   #6
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,258

Rep: Reputation: 385Reputation: 385Reputation: 385Reputation: 385
Quote:
Originally Posted by slufoot80 View Post
Ok what I am trying to do is give a group of users the ability to only lock user accounts with out locking system accounts or root account or my account how do I accomplish this.

below is a copy of my /etc/sudoers look at the line containing "jchander"

Code:
jchander        ALL=(root)       PASSWD: /usr/bin/passwd -l [a-z0-9]*, !/usr/bin/passwd -l root , !/usr/bin/passwd -l slufoot
You will want to build that ! (Not) list to include system accounts etc.

better still set specific accounts that they can lock instead of [a-z0-9]*.
 
Old 10-03-2013, 08:04 PM   #7
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
For one specific box, Firerat's lists suggestion (either version) may make sense.
For a more general soln for use on multiple systems, I'd go with the 'write a script' suggestion above and just get it to check a cutoff uid value eg on RHEL based systems, normal user accts start at 500 (other systems start at uid 1000).
 
  


Reply

Tags
linux, sudo


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] trouble in sudo apt-get update siddharth.buddhiraju Linux - Newbie 3 06-09-2011 02:43 AM
[SOLVED] trouble setting up sudo to allow su - user zrnaqvi Linux - Security 1 11-16-2009 06:42 PM
trouble getting security updates from sudo apt-get xyla Linux - Newbie 2 07-17-2008 05:31 PM
ndiswrapper and sudo trouble. sdmike6 Linux - Laptop and Netbook 8 03-24-2006 02:21 PM
a little trouble with sudo vardhan Linux - Newbie 1 11-30-2005 09:55 PM


All times are GMT -5. The time now is 01:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration