LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-28-2014, 01:36 PM   #1
Digistras
LQ Newbie
 
Registered: Jul 2014
Posts: 5

Rep: Reputation: Disabled
Allow Normal User to Change Root Account Password


Hi guys,

1st of all...I'm rather noob when it comes to Linux. I know this may not be what everyone loves to hear especially on the problem that I have so please do guide me and give me a chance to learn. (No trolls and haters please...) Now...moving on to the question proper.

My customer wants to use a normal user account to change root account password and ONLY this rights is to be give to this user account. Yes...I know is rather pointless and also the risks of giving that user account the right to change the root password and I have cautioned the risks to my customer. They told me that the normal user account is only accessed by a password management software which the software will SSH into the linux using the normal user account and change the root account password. Only administrators of the software have access to the software itself so the risks are kept minimal. Well, they are my customer so I will have to trust what they said and do what they want (afterall...is their infra).

There are 2 main reasons why my customer wants to grant the normal user account the right to change the root account password:

1. They are not comfortable in creating another uid=0 account, which is another root account

2. The password management software is only able to recognize the "passwd" command and not others (like "sudo passwd <username>" and etc...

I have tried in my own test linux lab logging in as a normal user and input this command: "passwd root" and it returned this error: "passwd: Only root can specify a user name."

Now, since the password management software only recognizes the "passwd" command, I like to know the following:

1. Is there really a way to let a normal use account to ONLY have the rights to change the root account?

2. If yes, is it done through editing the sudo file or is there any other method to achieve this?

3. How can I edit the sudo file so that the normal user account is able to change the root password just by executing the "passwd root" command or whatever command to achieve this?

If the answer to question 3 is yes, then I really hope that you guys can provide me the command or a step-by-step guide as I'm really a noob when it comes to linux but I need to get this done for the customer as it is really urgent.

I appreciate and thanks in advance for any help that is given to assist me on this and sorry for this long question. In the meantime, I will paste what I have in my sudo file here:

Code:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

Last edited by Digistras; 07-28-2014 at 03:17 PM. Reason: Wrap code
 
Old 07-28-2014, 01:47 PM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
Reading through this. Take that sudo config, and put it in some CODE tags to make it easier to read please.

IE: press edit, 'go advanced', select the config text, then click the # button that says 'wrap in code tags'.

Use an alias to trick the software into using 'sudo passwd'.. like this..

Code:
#log in as username
echo 'alias passwd="sudo passwd"' >> .bash_profile
That way when they SSH in and type passwd, it morphs to 'sudo passwd'

Then you can just add the correct permissions to sudoers and you are all set.

Last edited by szboardstretcher; 07-28-2014 at 01:53 PM.
 
Old 07-28-2014, 02:04 PM   #3
JeremyBoden
Senior Member
 
Registered: Nov 2011
Distribution: Debian
Posts: 1,183

Rep: Reputation: 243Reputation: 243Reputation: 243
Pointless answer:-
Code:
sudo passwd
Will let you change the root password, provided your user is in the sudo group.

Minimally(?) better, you could run a SUID script to change the root password.

Anyway why not just signon as root if you want to change its password???????????????
 
Old 07-28-2014, 02:08 PM   #4
Digistras
LQ Newbie
 
Registered: Jul 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks for the reply.

I don't really get what u mean by

IE: press edit, 'go advanced', select the config text, then click the # button that says 'wrap in code tags'.


Where do I add these lines to? Which file? The sudoers or sudo?

#log in as username
echo 'alias passwd="sudo passwd"' >> .bash_profile
 
Old 07-28-2014, 02:27 PM   #5
sgosnell
Senior Member
 
Registered: Jan 2008
Location: Baja Oklahoma
Distribution: Debian
Posts: 1,054

Rep: Reputation: 279Reputation: 279Reputation: 279
The code tags are to be added to your post here. It makes reading long posts containing code, lists, etc easier to read.

For the second question, you can enter
Code:
echo 'alias passwd="sudo passwd"' >> .bash_profile
directly in a terminal. That will create a file named .bash_profile in the current directory, containing the line
Code:
'alias passwd="sudo passwd"'
Then after you restart the terminal, whenever it receives "passwd", it will automatically convert that to "sudo passwd". In this paragraph, code tags were used in two places, resulting in the different formatting.
 
Old 07-28-2014, 03:16 PM   #6
Digistras
LQ Newbie
 
Registered: Jul 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Hi,

I have entered

Code:
echo 'alias passwd="sudo passwd"' >> .bash_profile
as a root into a terminal window and rebooted. After that I log in using a normal user account and I entered

Code:
passwd root
but I still get the same error saying "passwd: Only root can specify a user name."

Besides entering the command in a terminal window, is there anything else do I need to do? Am I missing a step?
 
Old 07-28-2014, 03:28 PM   #7
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
  • #Log in as root
Code:
Login: root
  • #Modify your /etc/sudoers file to allow your 'NON-ROOT USERNAME' to run 'passwd' to change the root password
  • #FIRST Change 'NON-ROOT USERNAME' to whatever your actual username is
Code:
echo 'Cmnd_Alias   PW      = /usr/bin/passwd [A-z]*' >> /etc/sudoers
echo 'NON-ROOT USERNAME    ALL     = (ALL) NOPASSWD: PW' >> /etc/sudoers
  • #Log in as your NON-ROOT USERNAME
Code:
Login: stan
  • #Make an alias for 'passwd' that will be 'sudo passwd'
Code:
echo 'alias passwd="sudo passwd"' >> .bashrc
  • #Log out
Code:
logout
  • #Log in as your NON-ROOT USERNAME
Code:
Login: stan
  • #Change roots password
Code:
passwd root

Last edited by szboardstretcher; 07-28-2014 at 03:40 PM.
 
Old 07-28-2014, 04:15 PM   #8
jefro
Moderator
 
Registered: Mar 2008
Posts: 17,101

Rep: Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552
No matter how many times I read this I get. If a normal user has access to change root password then they are in every respect a root user.

It may be possible to have some encrypted file with a pre-made list of passwords that could be inserted but any user with access to root password is root.

Last edited by jefro; 07-28-2014 at 04:16 PM.
 
Old 07-28-2014, 04:35 PM   #9
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,211

Rep: Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612Reputation: 1612
Yeah, he's aware of it. But given whatever backward circumstances requires this, the above will work.

Quote:
My customer wants to use a normal user account to change root account password and ONLY this rights is to be give to this user account. Yes...I know is rather pointless and also the risks of giving that user account the right to change the root password and I have cautioned the risks to my customer. They told me that the normal user account is only accessed by a password management software which the software will SSH into the linux using the normal user account and change the root account password. Only administrators of the software have access to the software itself so the risks are kept minimal. Well, they are my customer so I will have to trust what they said and do what they want (afterall...is their infra).
 
Old 07-28-2014, 09:14 PM   #10
jefro
Moderator
 
Registered: Mar 2008
Posts: 17,101

Rep: Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552Reputation: 2552
I was saying that it might be possible to create a set of passwords that the customer doesn't know. I haven't exactly figured out how to get that to work but that was where I was going. Maybe a one time use deal or time based deal that some remote admin knows.

Maybe some autoexpect/expect script?

Maybe some crypt to change shadow file.

Last edited by jefro; 07-28-2014 at 09:17 PM.
 
Old 07-29-2014, 11:27 AM   #11
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 3,585

Rep: Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569Reputation: 1569
Give that user a private "bin" directory and make sure it comes before the system directories in that user's PATH. In that directory, put an executable script named "passwd" containing:
Code:
#!/bin/sh
if [ $# = 1 -a "$1" = root ]; then
    sudo /usr/bin/passwd root
else
    /usr/bin/passwd "$@"
fi
Then edit /etc/sudoers to allow that specific command and argument to run without requiring a password.

Last edited by rknichols; 07-29-2014 at 11:34 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How does password change works for Normal user account in linux LittleMaster Linux - Server 3 10-05-2013 02:48 PM
How could normal user obtain root password or change root password ckamheng Debian 18 02-18-2009 11:28 PM
Cannot change password for normal user hd2000 Linux - General 2 06-17-2008 03:04 AM
Root cannot connect to X while on top of normal user account Dankles Debian 4 04-26-2006 12:24 PM
Can unlock screen with root password in my user account - want to change this sm1 Linux - Newbie 2 07-24-2005 06:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration