Lee W, MVP
asked on
Allow linux standard user to reset password for others
I need to grant a user SUDO rights to change OTHER people's passwords. I know SUDOERS can be more specific, but I've not been able to decipher the syntax.
Can someone help out? What would my line the sudoers file be to allow passwd to be run and ONLY passwd as root?
I'll accept other ideas but keep in mind, user MUST be able to do this from the console (putty shell) on a CentOS system.
Thanks!
Can someone help out? What would my line the sudoers file be to allow passwd to be run and ONLY passwd as root?
I'll accept other ideas but keep in mind, user MUST be able to do this from the console (putty shell) on a CentOS system.
Thanks!
For too dangerous in my opinion (as stated above, root password can be changed).
In these cases, I just write a script, which runs scheduled every xx minutes.
It scans the home folder of everyone allowed, takes password.txt as input (which contains username and password), deletes the file.
Script executes the username password change (EXCEPT if it's root, or something else you want to exclude).
In these cases, I just write a script, which runs scheduled every xx minutes.
It scans the home folder of everyone allowed, takes password.txt as input (which contains username and password), deletes the file.
Script executes the username password change (EXCEPT if it's root, or something else you want to exclude).
Follow noci's instructions to actually do this.
Pay attention to Kimputer's comment about why you shouldn't do this.
Handing off password change ability to a non super user... likely a bad idea...
Usually someone with root access will now when some seemingly minor message emitted during a password change means something is terribly wrong with the system.
I'm with Kimputer. Gives me the willies just thinking about giving password change ability to random/novice users.
Pay attention to Kimputer's comment about why you shouldn't do this.
Handing off password change ability to a non super user... likely a bad idea...
Usually someone with root access will now when some seemingly minor message emitted during a password change means something is terribly wrong with the system.
I'm with Kimputer. Gives me the willies just thinking about giving password change ability to random/novice users.
Also other passwords can be changed fe. ones from services. (if passwords are used for those, think transfer account with remote systems etc.)...
A generic mechanism would not be wise.
I would include all users for whom passwords may be changed in a separate group and run a script.
(it can be queried using: getent group changable
and allow only changes on those user's passwords.
(The script can be run from sudo to make things less complicated.)
A generic mechanism would not be wise.
I would include all users for whom passwords may be changed in a separate group and run a script.
(it can be queried using: getent group changable
and allow only changes on those user's passwords.
(The script can be run from sudo to make things less complicated.)
This script can be used... i still don't really like it......
Save it as: /bin/chpswd
chmod 111 /bin/chpswd
(execute only, NO READ, NO WRITE)
then use sudo presented before only change /bin/passwd to /bin/chpsw
btw, untested code...
Save it as: /bin/chpswd
chmod 111 /bin/chpswd
(execute only, NO READ, NO WRITE)
then use sudo presented before only change /bin/passwd to /bin/chpsw
#!/bin/bash
user=$1
stty noecho
read -p "New password: " p1
read -p "Verify password: " p2
stty echo
if [ "$p1" != "$p2" ]
then
echo "Password differ"
exit
fi
USERS=$( getent group changeble )
echo "$USERS" | while ifs=":" read grp gpw gid users
do
if echo ",$users," | grep ",$user,"
then
( echo $p1 ; echo $p1 ) | passwd $user
exit
else
echo "Cannot change password for $user"
exit
fi
done
exit
btw, untested code...
ASKER
Thanks for the warnings, but in this case it's not an issue.
The user in question has the root password should she really need them/want to do something evil. This is to allow her to change things for users under her own account while minimizing the possibility that she does something "accidentally" that can cause more damage.
It's a good general point not to do this, but in this case, it's perfectly acceptable given our circumstances.
A bit disappointing you can't assign users to manage users similar to AD (apparently, given what I've read so far).
The user in question has the root password should she really need them/want to do something evil. This is to allow her to change things for users under her own account while minimizing the possibility that she does something "accidentally" that can cause more damage.
It's a good general point not to do this, but in this case, it's perfectly acceptable given our circumstances.
A bit disappointing you can't assign users to manage users similar to AD (apparently, given what I've read so far).
Under Unix there is only one management (one privileged user account) that has all rights.
That is account with uid = 0, gid = 0, most comonly known as root.
To help in preventing users needing to know the root password for management, sudo was created.
(compare to windows : runas)
There is no Admin group. the protection mechanism of unix/linux was established in the 1970's, the NT security system in the 1990's.... with different rules.
BTW, when using selinux.. root can be completely left incapable of doing anything.
Then roles can be assign for specific actions and roles can be assigned to users. selinux is not exactly a piece of cake to handle.
wrt. Logons one can use Kerberos (like AD does) or when using ssh certificates can be used. alleviating the need for passwords.
2FA can be implemented relativly easy...
Different platform, different rules.
That is account with uid = 0, gid = 0, most comonly known as root.
To help in preventing users needing to know the root password for management, sudo was created.
(compare to windows : runas)
There is no Admin group. the protection mechanism of unix/linux was established in the 1970's, the NT security system in the 1990's.... with different rules.
BTW, when using selinux.. root can be completely left incapable of doing anything.
Then roles can be assign for specific actions and roles can be assigned to users. selinux is not exactly a piece of cake to handle.
wrt. Logons one can use Kerberos (like AD does) or when using ssh certificates can be used. alleviating the need for passwords.
2FA can be implemented relativly easy...
Different platform, different rules.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
This will allow any member of the group pwdusers to run the passwd program as root.
Note: the user CAN change the root password.
(on ALL hosts).
then running sudo -u root /bin/passwd someuser
will change the password. after first requesting the users own password.
for root -u root can be omitted.
Open in new window