LinuxQuestions.org - wants to provide sudo access

- Linux - Desktop (https://www.linuxquestions.org/questions/linux-desktop-74/)

- - wants to provide sudo access (https://www.linuxquestions.org/questions/linux-desktop-74/wants-to-provide-sudo-access-4175478461/)

wants to provide sudo access

Hi,

I wants to provide sudo access for the user to reset only "passwords" for all the users in that server. i User Redhat5 server...

in /etc/sudoers

Code:

<username> <Machine> = (root) /usr/bin/passwd

for example, yourself from any networked Machine

Code:

rajini23 ALL = (root) /usr/bin/passwd

more information can be found in the sudoers man page

Code:

man sudoers

Quote:

Originally Posted by rajini23 (Post 5034411)

Hi,
I wants to provide sudo access for the user to reset only "passwords" for all the users in that server. i User Redhat5 server...

You've been asking about sudo for over a year now:
http://www.linuxquestions.org/questi...do-4175414585/

Have you made no progress in your learning since your first question? And you do realize what you're asking for is pointless, right?? Because if you give a user you don't trust with OTHER root commands the ability to change root's password, you have essentially given them FULL ACCESS TO THE SYSETM, whenever they want it. They can just run "sudo passwd root", put in a new password, then log in AS ROOT. From there, they can remove ALL traces of what they did, and do whatever they want...including editing the sudoers file, creating new root-level users, etc.

good point

Code:

<username> <location> = (root) /usr/bin/passwd <username1>,/usr/bin/passwd <username2>,/usr/bin/passwd <username3>

restricts to three 'named' usernames

Quote:

Originally Posted by Firerat (Post 5034603)

good point

Code:

<username> <location> = (root) /usr/bin/passwd <username1>,/usr/bin/passwd <username2>,/usr/bin/passwd <username3>

restricts to three 'named' usernames

Yep...or you could do:

Code:

<user ID/alias> ALL=NOPASSWD: /usr/bin/passwd, !/usr/bin/passwd root

...which will let them change anyone ELSES passwd but root. Still, though...horribly insecure, and if you don't trust the user to do other root functions, giving them ANY root privileges at all is risky.

Quote:

Originally Posted by TB0ne (Post 5034621)

Yep...or you could do:

Code:

<user ID/alias> ALL=NOPASSWD: /usr/bin/passwd, !/usr/bin/passwd root

1. I don't see any reason to use the NOPASSWD option.
2. The whole point of using sudo is to give a user only some privileges that usually belong to root. May you please explain why this is horribly insecure?

Quote:

Originally Posted by TobiSGD (Post 5034626)

1. I don't see any reason to use the NOPASSWD option.

Well, that was the option I had in the example I posted. No real REASON to, and it's totally optional.

Quote:

2. The whole point of using sudo is to give a user only some privileges that usually belong to root. May you please explain why this is horribly insecure?

To me (and I'm fully prepared to admit I may be paranoid about such things), is that the above setup will let the user change ANYONE'S password, except root. If another user is in the sudoers file with more access, the user can now log in as THEM, get a root shell/run other commands, and have a field day. There may be others users set up as group 0 (I know...but it COULD happen), and the same applies.

I *NEVER* give sudo rights to ANYONE for ANYTHING, unless I know I can trust them on the system. It does create more work at times, but keeps me from having to undo damage and answer questions to auditors...I feel it's worth the tradeoff.

thats correct ...why and what matters a much here than too just simply opting for a NOPASSWD option to change anyone else's password.