Re: [ProgSoc] passwd changing stuff

[Justin Warren <justin.warren@nospam.edion.com>]

On Tue, Aug 28, 2001 at 12:29:52AM +1000, jedd wrote:
> On Mon, 27 Aug 2001 23:12, Justin Warren wrote:
>  ] You can get everything except the random password string by
>  ] using sudo. Check out the syntax of the sudoers file for
>  ] details. You can force a user to change their password on
>  ] their next login by using passwd, you know. Under Solaris it's 
>  ] the -f flag, under Debian it's -e.
> 
>  I'd considered sudo before, but from my understanding of sudo,
>  it wouldn't be possible (at least not without generating very
>  many custom scripts) to prevent anyone with sudo access to
>  'passwd', from resetting say the jedd or root accounts.  Even by
>  using the regex-ish stuff they've got, it concerns me that there'd
>  be a way around that .. given the power of sudo.  I really need a
>  solid way of preventing the resetting of certain account's passwords.

If you set up your sudoers file carefully you can prevent people
from running unauthorised commands. To stop someone resetting a
password other than the ones they are supposed to, set up a command
list for given people as:

/usr/bin/passwd mylogin
/usr/bin/passwd fred
etc.

Use the full path to prevent someone writing a script and executing it
as root via ./passwd and make sure you put the argument in so they
can only execute one form of the command.

Go and read up on sudo and the format of the sudoers file. Then go and
experiment with it to see if it will do what you want. Then ask
targeted questions if you're still having problems.

>  ] Why not use tcl/expect or perhaps perl? There's a front end
>  ] to passwd in the original Camel book, from memory, which you
>  ] could reuse some code from. That's if you're desperate to
>  ] manually set passwords to generated strings.
> 
>  expect was looking like the best of a bad lot, but the need
>  to install it on every machine as a pre-req for what I'd hoped
>  would be a standalone utility .. discouraged me.  I'll investigate
>  it further now.  I seem to recall hearing that passwd tried to
>  subvert any automated front-ends to it, ostensibly in the name
>  of security.

Damn straight. That's why there's that 3 or so second timeout when you
get your password wrong, so you can't just throw a dictionary attack at
passwd and brute force the machine.. not quickly, anyhow. There's nothing
'ostensible' about it.

You don't want to go writing custom code for expect or any other language
if stable and tested tools like sudo will do what you want. You may need
to think some more about what the precise nature of the problem is that
you're trying to solve. It's possible that a more elegant solution exists,
and it may not be purely technical.

Do yourself a favour and look into sudo in detail before you go off
attempting to reinvent the wheel. I mean you no disrespect, but it
sounds like you're not really up to speed on all the issues here so it
would be wise to spend some time reading and learning about them before
jumping to conclusions.

-- 
Justin Warren - Senior Consultant, Edion Pty Ltd
  justin.warren@nospam.edion.com | http://www.edion.com
"Yes, but we're BOFHen.  We're *expected* to horrify the punters daily and
 twice on Thursdays."
  -- adb in a.s.r
-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@nospam.progsoc.uts.edu.au.
If you are having trouble, ask owner-progsoc@nospam.progsoc.uts.edu.au for help.