Dear All, For /usr/bin/upasswd :
#!/bin/sh # Validate that a username was given as an argument [ -n "$1" ] || { echo "Use: upasswd <username>" >&2 exit 64 } # Validate that the username wasn't "root" [ "$1" != "root" ] || { echo "Can't set the root user's password" >&2 exit 77 } # Use -- to make sure that the "username" given wasn't just # a switch that passwd would interpret. # THIS ONLY WORKS ON GNU SYSTEMS. passwd -- "$1" For visudo : SYSADM MH = (ALL) /usr/bin/upasswd Notice * without the option after "/usr/bin/upasswd"... So, the test result is okay now : [EMAIL PROTECTED] bin]$ sudo upasswd Use: upasswd <username> [EMAIL PROTECTED] bin]$ sudo upasswd root Can't set the root user's password [EMAIL PROTECTED] bin]$ sudo upasswd edward Changing password for user edward. New UNIX password: Many thanks for your help ! * This procedure is good for working on FC9... Edward. Russell Van Tassell wrote: >On Tue, Nov 18, 2008 at 05:18:10PM -0800, Stephen Carville wrote: > > >>>[Preventing root passwd change using sudo] >>> >>> >>In truth, Gordon Messmer's suggestion is probably more secure. The only >>change I'd make would be to embed the sudo command in the script. Something >>like. >> >>[...] >> >>The give sudo permissions something like: >> >>SYSADM MH = (ALL) /usr/bin/passwd -- [A-z0-1]* >> >> > >Just "devil's advocate," caveat emptor, buyer beware and all that jazz... > >This still doesn't prevent people from doing things such as: > >/usr/bin/sudo /usr/bin/sh /usr/bin/passwd > >...or other similar "nasty" things (the list is quite huge). This also >presumes, of course, that the "typical" sudoers file allows more than it >prevents/excludes. > > > >
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines