1

I am adding sudo rules for L0 team wherein they will be able to change password for OS users.

BUT i dont want the L0 team to change root password using sudo How to do it

PS - !/usr/bin/passwd root - is not working

2 Answers 2

2

The only way I see a chance if your user authentication is done using classical /etc/shadow passwords:
Write your own passwd-alike program that only allows changing of passwords of non-root users, and only allow that (e.g. via sudo yourprogram). /etc/shadow is really not hard to parse or write.

Much more sensibly, if you have "teams", you probably have some form of centralized login mechanism (LDAP/Kerberos?), and then the LO team (whatever "L0" is) should not be using passwd at all, but interfacing directly with that system, which probably offers much finer access control.

2
  • L0 = Level 0, the front line for technical support Commented Mar 12, 2022 at 23:24
  • @roaima thanks! Commented Mar 12, 2022 at 23:32
1

As is usual with questions about sudo, the answer is "write a wrapper script, only allow that script to be run with sudo".

That is, write a script that checks its arguments to make sure that a username is supplied AND that the username isn't root (and/or other system accounts. Or perhaps check if the UID corresponding to that username is in the range allocated to normal users...typically 500+ or 1000+, depending on distro).

If it passes whatever validation checks you need, run passwd with the appropriate arguments. If not, abort with an error message, and maybe log the failed attempt.

Then, configure sudo to allow the users to run the script as root, but not passwd itself.

Since the script is being run as root, all programs run in the script (including passwd) will also be run as root.

And, because the script is run as root, you need to be especially careful about what you run in the script and how you run it. Quote your variables, don't trust user-supplied data (i.e. don't pass arguments directly to other programs without validating them - it is generally best to reject anything that isn't specifically allowed rather than accept everything that isn't specifically forbidden. There will be less loopholes that way). Keep the script short and simple and easy to understand & debug, it should do the minimum necessary to validate its input and get the job done.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.