Just how to offer a regular customer approval to transform origin password

Please do not ask why, yet is it feasible to do it?

p/s: I recognize it's not a good idea, allow's simply claim a person from the leading monitoring that is computer system uneducated desire some type of control over the web server.

2019-05-06 01:56:36
Source Share
Answers: 7

If your system made use of pam_tcb (tcb - the alternative to /etc/shadow) (and also therefore there were customers' password documents per customer), you can additionally attain what you desire by taking care of documents approvals and also teams (claim, add this customer to the team that you make very own the password apply for origin).

In this instance, I do not see any kind of major distinctions in the outcomes as contrasted to the sudo - remedy (if you prepare to trust fund sudo, certainly), due to the fact that you are anyhow distributing the highest possible advantage to that customer.

Yet in various other instances, pam_tcb offers extra adaptability and also security : first, you ought not to trust fund sudo and also passwd because they will not allow the customer manipulate the advantages in an undesirable means ; 2nd, much less advantages have to be provided to customers to attain particular comparable arrangements (and also no setUID - origin programs are required in all) - - see, as an example, the inquiry for a comparable point : Reset [another] user's password without root .

2019-12-05 02:58:14

If you do not rely on the proprietor of the origin account after that there is possibly no other way to stop that origin customer from eliminating this unique approval. If you do rely on the origin customer after that simply ask him for the existing password.

2019-05-12 08:10:58

If you rely on that customer to make sure that he has approval to transform origin password, it needs to be secure to offer him the existing origin password to begin with.

2019-05-10 18:55:47

Can't he make use of run degree 1 to transform origin password?

What I desire is

  1. Set grub password to make sure that not every customer can transform the run degree at boot time.
  2. This password is provided to the regular customer that could require to transform origin password in future.
  3. Currently if demands emerge to transform the origin password, he can change grub parameters at boot time. Press 'a', offer grub password and afterwards offer 1, to make sure that equipment boots right into run degree 1.
  4. As soon as in run degree 1, he can transform origin password.

The noticeable negative aspect of this procedure is that equipment needs to be restarted and also while its in run degree 1, it will certainly be offline.

Kindly state the imperfections that you locate in this procedure.

2019-05-10 15:22:33

Don't do that ... you can either provide origin's password or you can execute sudo passwd root (this thinks that sudo is readied to make use of the customers password or no password, which passwd is a command that sudo has actually accredited to be run by that customer).

2019-05-08 14:34:10

sudo is the swiss - military blade of tailored approvals. You can ask the customer to run

sudo /usr/bin/passwd root

To see just how this could be made it possible for, below's a relevant instance from the sudoers (5) manpage.

pete           HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

The user pete is allowed to change anyone's password except for root on the 
HPPA machines.  Note that this assumes passwd(1) does not take multiple 
usernames on the command line.

You'll need to invert the reasoning to attain your ends, certainly. So, you would certainly execute the visudo, and also add a line like

user ALL = /usr/bin/passwd root

to /etc/sudoers.

2019-05-08 13:40:21

Maybe you can add this line to the sudoer documents (making use of visudo), changing phunehehe with the username.

phunehehe localhost = NOPASSWD: /usr/bin/passwd

I do not recognize if that breaks your problem of a "regular customer", however, due to the fact that afterwards he/she has a lot power.

MODIFY : based on xenoterracide's comment :)

2019-05-08 13:35:28