Text written by Scott D. Yelich at 05:44 PM 3/23/99 -0700:
>
>So, this client owns their own isp. They have root access. They often
>type "passwd" without an account to change the password for one of
>their account -- yet they zap the root password. Ignore my solution --
>how would you prevent this provided that the isp owner will not stop
>using the command and you don't want to write a wrapper for them around
>the root command (since it's not a single person who does this).
Around "the root command"? Personally, I'd write a wrapper around the
_passwd_ command, partly _because_ more than one person keeps making this
mistake.
My preferred wrapper would either prompt when called with no argument
("Change the password for the foobar account?"), or perhaps force the user
to specify an account no matter what ("You must provide an account name!").
However, another possibility would be to simply have the wrapper get the
real UID and pass that to passwd as an arg, thus changing the password on
the account the person su'd from. This means that only those who know how
to get around the wrapper can change the root password. (Of course, if they
routinely log in as root from the console, that wouldn't work.)
Either way, if your users keep screwing up with root power, some kind of
safeguards need to be put in place.
-----------------------------------------------------------------
Kai MacTane
System Administrator
Online Partners.com, Inc.
-----------------------------------------------------------------
>From the Jargon File: (v4.0.0, 25 Jul 1996)
Godzillagram /god-zil'*-gram/ /n./
[from Japan's national hero] 1. A network packet that in theory is
a broadcast to every machine in the universe... Fortunately, few
gateways are foolish enough to attempt to implement this case!
2. A network packet of maximum size...
