Just how to offer a regular customer approval to transform origin password
If your system made use of pam_tcb (tcb - the alternative to /etc/shadow) (and also therefore there were customers' password documents per customer), you can additionally attain what you desire by taking care of documents approvals and also teams (claim, add this customer to the team that you make very own the password apply for origin).
In this instance, I do not see any kind of major distinctions in the outcomes as contrasted to the
sudo - remedy (if you prepare to trust fund
sudo, certainly), due to the fact that you are anyhow distributing the highest possible advantage to that customer.
Yet in various other instances,
pam_tcb offers extra adaptability and also security : first, you ought not to trust fund
sudo and also
passwd because they will not allow the customer manipulate the advantages in an undesirable means ; 2nd, much less advantages have to be provided to customers to attain particular comparable arrangements (and also no setUID - origin programs are required in all) - - see, as an example, the inquiry for a comparable point : Reset [another] user's password without root
If you do not rely on the proprietor of the origin account after that there is possibly no other way to stop that origin customer from eliminating this unique approval. If you do rely on the origin customer after that simply ask him for the existing password.
Can't he make use of run degree 1 to transform origin password?
What I desire is
- Set grub password to make sure that not every customer can transform the run degree at boot time.
- This password is provided to the regular customer that could require to transform origin password in future.
- Currently if demands emerge to transform the origin password, he can change grub parameters at boot time. Press 'a', offer grub password and afterwards offer 1, to make sure that equipment boots right into run degree 1.
- As soon as in run degree 1, he can transform origin password.
The noticeable negative aspect of this procedure is that equipment needs to be restarted and also while its in run degree 1, it will certainly be offline.
Kindly state the imperfections that you locate in this procedure.
Don't do that ... you can either provide origin's password or you can execute
sudo passwd root (this thinks that sudo is readied to make use of the customers password or no password, which passwd is a command that sudo has actually accredited to be run by that customer).
sudo is the swiss - military blade of tailored approvals. You can ask the customer
sudo /usr/bin/passwd root
To see just how this could be made it possible for, below's a relevant instance from the sudoers (5) manpage.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root The user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple usernames on the command line.
You'll need to invert the reasoning to attain your ends, certainly. So, you would certainly execute the
visudo, and also add a line like
user ALL = /usr/bin/passwd root
Maybe you can add this line to the sudoer documents (making use of
phunehehe with the username.
phunehehe localhost = NOPASSWD: /usr/bin/passwd
I do not recognize if that breaks your problem of a "regular customer", however, due to the fact that afterwards he/she has a lot power.
MODIFY : based on xenoterracide's comment :)