Allow Normal User to Change Root Account Password

Digistras · 07-28-2014, 12:36 PM

Hi guys,

1st of all...I'm rather noob when it comes to Linux. I know this may not be what everyone loves to hear especially on the problem that I have so please do guide me and give me a chance to learn. (No trolls and haters please...) Now...moving on to the question proper.

My customer wants to use a normal user account to change root account password and ONLY this rights is to be give to this user account. Yes...I know is rather pointless and also the risks of giving that user account the right to change the root password and I have cautioned the risks to my customer. They told me that the normal user account is only accessed by a password management software which the software will SSH into the linux using the normal user account and change the root account password. Only administrators of the software have access to the software itself so the risks are kept minimal. Well, they are my customer so I will have to trust what they said and do what they want (afterall...is their infra).

There are 2 main reasons why my customer wants to grant the normal user account the right to change the root account password:

1. They are not comfortable in creating another uid=0 account, which is another root account

2. The password management software is only able to recognize the "passwd" command and not others (like "sudo passwd <username>" and etc...

I have tried in my own test linux lab logging in as a normal user and input this command: "passwd root" and it returned this error: "passwd: Only root can specify a user name."

Now, since the password management software only recognizes the "passwd" command, I like to know the following:

1. Is there really a way to let a normal use account to ONLY have the rights to change the root account?

2. If yes, is it done through editing the sudo file or is there any other method to achieve this?

3. How can I edit the sudo file so that the normal user account is able to change the root password just by executing the "passwd root" command or whatever command to achieve this?

If the answer to question 3 is yes, then I really hope that you guys can provide me the command or a step-by-step guide as I'm really a noob when it comes to linux but I need to get this done for the customer as it is really urgent.

I appreciate and thanks in advance for any help that is given to assist me on this and sorry for this long question. In the meantime, I will paste what I have in my sudo file here:

Code:

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

szboardstretcher · 07-28-2014, 12:47 PM

Reading through this. Take that sudo config, and put it in some CODE tags to make it easier to read please.

IE: press edit, 'go advanced', select the config text, then click the # button that says 'wrap in code tags'.

Use an alias to trick the software into using 'sudo passwd'.. like this..

Code:

#log in as username
echo 'alias passwd="sudo passwd"' >> .bash_profile

That way when they SSH in and type passwd, it morphs to 'sudo passwd'

Then you can just add the correct permissions to sudoers and you are all set.

JeremyBoden · 07-28-2014, 01:04 PM

Pointless answer:-

Code:

sudo passwd

Will let you change the root password, provided your user is in the sudo group.

Minimally(?) better, you could run a SUID script to change the root password.

Anyway why not just signon as root if you want to change its password???????????????

Digistras · 07-28-2014, 01:08 PM

Thanks for the reply.

I don't really get what u mean by

IE: press edit, 'go advanced', select the config text, then click the # button that says 'wrap in code tags'.

Where do I add these lines to? Which file? The sudoers or sudo?

#log in as username
echo 'alias passwd="sudo passwd"' >> .bash_profile

sgosnell · 07-28-2014, 01:27 PM

The code tags are to be added to your post here. It makes reading long posts containing code, lists, etc easier to read.

For the second question, you can enter

Code:

echo 'alias passwd="sudo passwd"' >> .bash_profile

directly in a terminal. That will create a file named .bash_profile in the current directory, containing the line

Code:

'alias passwd="sudo passwd"'

Then after you restart the terminal, whenever it receives "passwd", it will automatically convert that to "sudo passwd". In this paragraph, code tags were used in two places, resulting in the different formatting.

Digistras · 07-28-2014, 02:16 PM

Hi,

I have entered

Code:

echo 'alias passwd="sudo passwd"' >> .bash_profile

as a root into a terminal window and rebooted. After that I log in using a normal user account and I entered

Code:

passwd root

but I still get the same error saying "passwd: Only root can specify a user name."

Besides entering the command in a terminal window, is there anything else do I need to do? Am I missing a step?

szboardstretcher · 07-28-2014, 02:28 PM

#Log in as root

Code:

Login: root

#Modify your /etc/sudoers file to allow your 'NON-ROOT USERNAME' to run 'passwd' to change the root password
#FIRST Change 'NON-ROOT USERNAME' to whatever your actual username is

Code:

echo 'Cmnd_Alias   PW      = /usr/bin/passwd [A-z]*' >> /etc/sudoers
echo 'NON-ROOT USERNAME    ALL     = (ALL) NOPASSWD: PW' >> /etc/sudoers

#Log in as your NON-ROOT USERNAME

Code:

Login: stan

#Make an alias for 'passwd' that will be 'sudo passwd'

Code:

echo 'alias passwd="sudo passwd"' >> .bashrc

#Log out

Code:

logout

#Log in as your NON-ROOT USERNAME

Code:

Login: stan

#Change roots password

Code:

passwd root

jefro · 07-28-2014, 03:15 PM

No matter how many times I read this I get. If a normal user has access to change root password then they are in every respect a root user.

It may be possible to have some encrypted file with a pre-made list of passwords that could be inserted but any user with access to root password is root.

szboardstretcher · 07-28-2014, 03:35 PM

Yeah, he's aware of it. But given whatever backward circumstances requires this, the above will work.

Quote:

My customer wants to use a normal user account to change root account password and ONLY this rights is to be give to this user account. Yes...I know is rather pointless and also the risks of giving that user account the right to change the root password and I have cautioned the risks to my customer. They told me that the normal user account is only accessed by a password management software which the software will SSH into the linux using the normal user account and change the root account password. Only administrators of the software have access to the software itself so the risks are kept minimal. Well, they are my customer so I will have to trust what they said and do what they want (afterall...is their infra).

jefro · 07-28-2014, 08:14 PM

I was saying that it might be possible to create a set of passwords that the customer doesn't know. I haven't exactly figured out how to get that to work but that was where I was going. Maybe a one time use deal or time based deal that some remote admin knows.

Maybe some autoexpect/expect script?

Maybe some crypt to change shadow file.

rknichols · 07-29-2014, 10:27 AM

Give that user a private "bin" directory and make sure it comes before the system directories in that user's PATH. In that directory, put an executable script named "passwd" containing:

Code:

#!/bin/sh
if [ $# = 1 -a "$1" = root ]; then
    sudo /usr/bin/passwd root
else
    /usr/bin/passwd "$@"
fi

Then edit /etc/sudoers to allow that specific command and argument to run without requiring a password.