[829] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sudo limiting

daemon@ATHENA.MIT.EDU (shaggenbunsenburner)
Thu Jun 20 11:52:31 1996

Date: Wed, 19 Jun 1996 22:38:09 -0400 (EDT)
From: shaggenbunsenburner <shagboy@thecia.net>
Reply-To: shagboy@thecia.net
To: Blue <blue@buttercup.cybernex.net>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199606182119.RAA20576@buttercup.cybernex.net>

On Tue, 18 Jun 1996, Blue wrote:

> I was implementing user adding facilities for a small group whom still 
> should not have root access via sudo and realized that they could just 
> change the root password.  I am loathe to do it with a setuid program, 
> even though then I can run the username through a filter, due to the 
> probelms having a program like that can create.
> 
> Baring hacking passwd, or creating a restricted version of it, is there 
> any secure way around this delima?

I'd say hack /bin/passwd.  It's been setuid for ages and I'd say it's 
considered pretty secure.  It really, REALLY shouldn't be hard at all to 
make a /bin/sudo-passwd that disallows changes of the password for "root" 
or UID 0.

Hacking source doesn't strike me as fun, but this is a really, REALLY 
small hack, and you can get the source in the shadow package.  And this 
really looks like the best and easiest way to go.  I don't really have a 
need for it here, but maybe I'll do it anyway tho if someone will take a 
look at my code afterwards.

shag

Judd Bourgeois     | When we are planning for posterity,
shagboy@thecia.net | we ought to remember that virtue is
Finger for PGP key | not hereditary.        Thomas Paine


home help back first fref pref prev next nref lref last post