Root access that can't change root password?


 
Thread Tools Search this Thread
Operating Systems Linux Ubuntu Root access that can't change root password?
# 1  
Old 12-15-2013
Root access that can't change root password?

We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will do.

Is that possible?
(Linux 3.2.0-57-generic #87-Ubuntu SMP)
# 2  
Old 12-15-2013
One way to do it is to disable "su" and "passwd" access in sudoers, for example like this:
Code:
user ALL=(ALL) ALL, !/usr/bin/passwd, !/usr/bin/su

Then tell user to run the commands that he needs executed as root by prefixing them with "sudo".

It will not prohibit manually editing the /etc/shadow file though...
# 3  
Old 12-16-2013
.... or editing the /etc/sudoers file and the user can take off the restrictions again.


How about you ask exactly what is needed and only permit that with sudo rules. Be sure not to allow access to anything that the user can escape from, e.g. by giving vi, then user can probably :sh to get to a command prompt as the executing user.

Other things sudo as ftp can also be used to run local shell commands too. You have to be very careful.

Perhaps there is a need for not giving root access to the user. Ask what needs to be done, get it scripted and tested, then make the script Read-Only to them, but have it owned by root and set the SUID flag with:-
Code:
chown root:group yourscript
chmod 4750 yourscript

Make sure that the world cannot execute the script and set the group to be a restricted as you can. perhaps even create a group for just this use.



i hope that this helps or at least gives you something to consider.


Robin
Liverpool/Blackburn
UK
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Can a root role change the root password in Solaris 10?

i do not have root on a solairs 10 server , however i do have the root role, i was wondering if I can change the root password as a a role with the passwd command? I have not tried yet. and do i have to use the # chgkey -p afterwards? i need to patch is why i am asking. thanks (1 Reply)
Discussion started by: goya
1 Replies

2. UNIX for Advanced & Expert Users

One user to su to another without allowing root access and password

Hello Gurus, I want One user to su to another without allowing root access and password. I want to run a specific command as below from user am663: --------------------------------------------------------- sudo -u appsprj4 /home/appsrj4/scripts/start_apache.sh ------------------- But... (6 Replies)
Discussion started by: pokhraj_d
6 Replies

3. Solaris

Solaris 8 - Asks for current root password when trying to change root password.

Hello All, I have several solaris boxes running Solaris 8. When changing root passwords on them, all will simply ask for the new root password to change and of course to re-type the new password. One of the systems however asks for the existing root password before it will display the new password... (8 Replies)
Discussion started by: tferrazz
8 Replies

4. Shell Programming and Scripting

how to change root password using shell script with standard password

Hi Friends. I am new to scripting now i want to change the root password using the script with standard password. which is the easy scripting to learn for the beginner, Thanks in advance. (2 Replies)
Discussion started by: kurva
2 Replies

5. HP-UX

How to change ROOT password.

Hi, we have a HP-UX server of model 9000/800/rp4440. We have been trying to reset the root password but are in vain.I used the following command and also are the outputs which i have received. # passwd Changing password for root New password: Re-enter new password: Unexpected failure.... (3 Replies)
Discussion started by: angelofhell
3 Replies

6. HP-UX

Change root password?

Hello! I forget the root password and I need to change it. I've read others threads about it in this forum, but it seems it's necessary to modify /etc/passwd file. In my HPUX Systems this passwd file have only "read" permissions ant its owner is the root user, so how can i modify this file, if I... (4 Replies)
Discussion started by: kaugrs
4 Replies

7. UNIX for Dummies Questions & Answers

Change other account password from root access

Hi, I have forgotten my personal account password but I still have the root access to the box. Please tell me how can I change my other account password by logging as root. Thanks. Rakesh :D (4 Replies)
Discussion started by: rakeshou
4 Replies

8. Solaris

change root password

Hi, please advise me what is the simplest way to change root password on Sun Sparc 64 bit with Solaris 9 on it. Thanks in advance. (3 Replies)
Discussion started by: duke0001
3 Replies

9. Linux

how to access root priveliges if root password is lost

wish to know how to access root password it root password is forgotten in linux (1 Reply)
Discussion started by: wojtyla
1 Replies
Login or Register to Ask a Question