ianw1974 Posted July 6, 2006 Report Share Posted July 6, 2006 What I'm wanting to do us have an account called "admin", that can do practically everything that root can, except, I don't want them to be able to reset the root account password :P This is what I put in sudoers to make it easy for all commands to be run: admin ALL=(ALL) ALL how can I modify to block from changing the root password? Of course, I still want them to do everything else, and reset other user passwords. Quote Link to comment Share on other sites More sharing options...
paul Posted July 6, 2006 Report Share Posted July 6, 2006 admin ALL=(ALL) ALL !/usr/bin/passwd root Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Report Share Posted July 6, 2006 I tried that, keeps giving me an error when I try to save the file. Quote Link to comment Share on other sites More sharing options...
paul Posted July 6, 2006 Report Share Posted July 6, 2006 then I guees work the other way admin ALL =(ALL) /bin/* (not sure whether you can use wild cards) Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Report Share Posted July 6, 2006 Actually, it just needed one extra thing: admin ALL=(ALL) ALL, !/usr/bin/passwd root the most important bit being the comma. Now it works :P Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Report Share Posted July 6, 2006 Oh, and also, don't forget to also add this to the end of the line: , !/usr/sbin/visudo else they'll be able to edit the file and remove what you restricted. Also, any other file editor too. Quote Link to comment Share on other sites More sharing options...
neddie Posted July 6, 2006 Report Share Posted July 6, 2006 Eek! But how would you stop them editing another file, and then mv'ing it to replace that one? Or doing a cat or echo and piping the output to that file? I don't think you're really going to be able to lock it down like that :unsure: Quote Link to comment Share on other sites More sharing options...
paul Posted July 6, 2006 Report Share Posted July 6, 2006 I'm betting he doesn't have users on his system that think like you and I Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Report Share Posted July 6, 2006 I probably have, and I've already tied down cat, vi, nano text editors. So even if they copy it away, they can't view it :P I've been trying to use things like: $1 sudoers but unfortunately that doesn't work. So I'm kinda thinking I either have to just give it up and not bother attempting to do it and just have the root account, or try and enable just for commands I think they need. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.