Jump to content
Sign in to follow this  
ianw1974

Stopping sudoer user from changing root password

Recommended Posts

What I'm wanting to do us have an account called "admin", that can do practically everything that root can, except, I don't want them to be able to reset the root account password :P

 

This is what I put in sudoers to make it easy for all commands to be run:

 

admin ALL=(ALL) ALL

 

how can I modify to block from changing the root password? Of course, I still want them to do everything else, and reset other user passwords.

Share this post


Link to post
Share on other sites

I tried that, keeps giving me an error when I try to save the file.

Share this post


Link to post
Share on other sites

then I guees work the other way

admin ALL =(ALL) /bin/* (not sure whether you can use wild cards)

Share this post


Link to post
Share on other sites

Actually, it just needed one extra thing:

 

admin ALL=(ALL) ALL, !/usr/bin/passwd root

 

the most important bit being the comma. Now it works :P

Share this post


Link to post
Share on other sites

Oh, and also, don't forget to also add this to the end of the line:

 

, !/usr/sbin/visudo

 

else they'll be able to edit the file and remove what you restricted. Also, any other file editor too.

Share this post


Link to post
Share on other sites

Eek! But how would you stop them editing another file, and then mv'ing it to replace that one? Or doing a cat or echo and piping the output to that file? I don't think you're really going to be able to lock it down like that :unsure:

Share this post


Link to post
Share on other sites

I'm betting he doesn't have users on his system that think like you and I :eyebrows:

Share this post


Link to post
Share on other sites

I probably have, and I've already tied down cat, vi, nano text editors. So even if they copy it away, they can't view it :P

 

I've been trying to use things like:

 

$1 sudoers

 

but unfortunately that doesn't work. So I'm kinda thinking I either have to just give it up and not bother attempting to do it and just have the root account, or try and enable just for commands I think they need.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...