prevent users from changing their password ?

sulekha · 07-17-2010, 04:45 AM

Hi all,

I use the following method for preventing the users from changing their passwords , is there any other method other than this ?

ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 37140 2010-01-26 12:09 /usr/bin/passwd

so we need to remove the suid for that command as follows :- chmod u-s /usr/bin/passwd

now normal users won't be able to change their own passwords - and only the root user will be able to do it for them.

unSpawn · 07-17-2010, 06:34 AM

On systems using PAM you could add a "pam_listfile.so" line to /etc/pam.d/passwd and configure the list it only allow or deny certain users to change their password. An upgrade of the package containing /usr/bin/passwd might reset the setuid bit. That change might escape your attention unless you monitor or regularly audit file permissions.

mlnutt · 07-17-2010, 08:34 AM

You could also move "passwd" to /root/bin.

unSpawn · 07-17-2010, 05:02 PM

Quote:

Originally Posted by mlnutt

You could also move "passwd" to /root/bin.

Nice idea but that's not a method in any book. Doing that will break usage for legitimate processes that doesn't have /root/bin in it's $PATH. Besides an update will place the binary back where it belongs.

syg00 · 07-17-2010, 05:16 PM

Might I ask why ?.
Every site I've been to enforce password changing - usually with quite particular rules and frequency.

wizman56 · 07-21-2010, 03:20 AM

Try setting the immutable bit on the /etc/passwd, /etc/shadow, /etc/gshadow files with the chattr command:
chattr +i /etc/shadow

To remove the immutable bit, use chattr -i

cantab · 07-23-2010, 08:32 AM

Just do chmod go-rx /usr/bin/passwd. That way users can't run the passwd program at all.
If you want some users to change their passwords, but not others, put those users in a group, make that the group associated with passwd, and set group permissions so group members can run it.

wizman56 · 07-24-2010, 06:39 AM

Perhaps you guys missed the subtlety of using chattr...

Once you have used chattr, the passwd command is still available...and it even looks, to the user, as if their password is changed...but the passwd program complains silently when they use passwd. No feedback results. they simply cant change their passwd, even the root user cannot, until chattr -i is issued.

Hope this helps you guys...

cantab · 07-24-2010, 07:27 AM

Quote:

Originally Posted by wizman56

and it even looks, to the user, as if their password is changed...No feedback results

I'd say that's a really bad idea. The last thing you want is someone thinking their password has been changed when it hasn't. You'll then have to field user complaints of "I changed my password but it didn't work" and so on. As well as the risk of a user changing their password because their old one had become known to others, and not realising the change had failed and then getting their account broken into.

vikas027 · 07-24-2010, 09:38 PM

I think you guys can also use ACL in this case

As root,

Code:

chmod 000 /usr/bin/passwd
setfacl -m u:777:root /usr/bin/passwd

or rather this would be best in my opinion

Code:

mv /usr/bin/passwd /sbin

Generally, normal user dont have /sbin in $PATH