UNIX for Advanced & Expert Users

I knew it would happen sooner or later....

We have a requirement that specific individuals need "sudo root" authority. I knew it only a matter of time before someone decided to change the root password (at least they owned up to it).

Now the question is how can I grant all rights except execution of passwd root? I've tried entering the following line in my sudoers file but it didn't seem to make much difference.

GRP_IDS ALL = (ALL) !/usr/bin/passwd *root*, ALL

Thanks

doesn't sudo provide for a facility to have command sets that you can enable for each user? if the individuals in question should not have the full range of root commands, you can specify a command set that they can run which would exclude any password-related commands ...

however, if those people really need that functionality (i.e., help desk password reset of user accounts) --- you might be better off having them run a specific password change script which takes a user account name as an argument and errors out if root is specified ... to better track "hanky-panky," also have the script send out an email to root when such incidents happen ...

From the sudoers man page: "Since the sudoers file is parsed in a single pass, order is important." Put the no-root-password entry after the all entry. They contradict each other. Last one wins.

I know I come late to the party, but I have two questions :

Do these 'requirements' specify which commands, exactly, these folks need to execute as 'root' ? If not, WHY not ?

Why would a user on your machine (or server) need to set anyone elses password ? Sometimes it *may* be necessary, but granting access to the 'passwd' program scares me a little.

I m not sure but does the chacl on the passwd program not help here.

chacl gives r and/or w and/or x permissions to selected users and/or groups.

So using root you set the acl to the passwd program once to include the users you want to have access to this program and that should be it.