[TriLUG] 'sudo' access to passwd program
Frye, Matthew
Matthew.Frye at rexhealth.com
Tue Jan 13 15:21:01 EST 2004
Hello,
Here at the community college, I would like to give an instructor
access
to change student passwords on a server that's set aside for student
use. However, if I give him 'sudo' access to the passwd command, he
would be able to change the root password and my password, which I
don't
want. But I feel confident enough* to allow him to change any
student
password. Any ideas on how to do that without a complex script or
program?
--Jeremy
* Yeah, maybe not the best idea, but I'll give it a try for a
semester.
Jeremy,
Since you have a finite number of passwords that you don't want the
instructor to have access to change, I suggest the following lines which are
identical to some in my /etc/sudoers (use visudo, of course) and works quite
well for problem child vendors. This file is from an AIX server, but the
principles are the same for sudo.
# User alias specification
User_Alias VENDOR = badvendor # Bad vendor, no!
# Cmnd alias specification
# Stuff that's not allowed
Cmnd_Alias RESTART = /usr/sbin/reboot, /usr/sbin/shutdown, /usr/sbin/init,
/etc/shutdown
Cmnd_Alias RESTART2 = /usr/sbin/killall, /usr/sbin/halt, /usr/sbin/sync
Cmnd_Alias SUDO = /usr/lib/sudo/visudo # Don't forget this one!
Cmnd_Alias SMIT=/usr/bin/smit, /usr/bin/smitty, /bin/smit, /bin/smitty
Cmnd_Alias SU=/bin/su *
Cmnd_Alias SUR=/bin/su *root*
Cmnd_Alias VIS=/usr/bin/vi /etc/passwd, /usr/bin/vi *.conf, /usr/bin/vi
*.cf, /usr/bin/vi *.cnf, /usr/bin/vi usercontrol
Cmnd_Alias ADMIN=/usr/bin/kill, /usr/bin/lppchk
Cmnd_Alias LPADMIN=/usr/bin/enable, /usr/bin/disable
#
Cmnd_Alias PASSWD=/bin/passwd root, /bin/passwd operator, /bin/passwd mfrye
# Use this.
#
Cmnd_Alias MKUSER=/usr/bin/mkuser *
Cmnd_Alias CHUSER=/usr/bin/chuser *
Cmnd_Alias RMUSER=/usr/sbin/rmuser *
# Permitted stuff
# Runas_Alias
# User privilege specification
root ALL=(ALL) ALL
VENDOR ALL=ALL, !RESTART, !RESTART2, !ADMIN, !SUDO, !SUR, !SMIT, !VIS,
!RMUSER, !CHUSER, !PASSWD
mfrye ALL=(ALL) ALL
Regards,
Matt Frye
More information about the TriLUG
mailing list