Ubuntu Limit sudo user to password reset only
I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.
I know how to block certain access, but how would I block everything but passwd
.
14.04 server sudo
New contributor
add a comment |
I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.
I know how to block certain access, but how would I block everything but passwd
.
14.04 server sudo
New contributor
Hmm... and what would stop them from resetting the password forroot
(or for any unrestricted sudoer) and thereby gaining unlimited privileges?
– steeldriver
yesterday
2
Possible duplicate of How to give permissions to specific command?
– Olorin
yesterday
@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.
– BarBar1234
yesterday
@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.
– Olorin
yesterday
@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.
– BarBar1234
23 hours ago
add a comment |
I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.
I know how to block certain access, but how would I block everything but passwd
.
14.04 server sudo
New contributor
I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.
I know how to block certain access, but how would I block everything but passwd
.
14.04 server sudo
14.04 server sudo
New contributor
New contributor
edited yesterday
MatsK
533214
533214
New contributor
asked yesterday
KayenineKayenine
83
83
New contributor
New contributor
Hmm... and what would stop them from resetting the password forroot
(or for any unrestricted sudoer) and thereby gaining unlimited privileges?
– steeldriver
yesterday
2
Possible duplicate of How to give permissions to specific command?
– Olorin
yesterday
@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.
– BarBar1234
yesterday
@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.
– Olorin
yesterday
@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.
– BarBar1234
23 hours ago
add a comment |
Hmm... and what would stop them from resetting the password forroot
(or for any unrestricted sudoer) and thereby gaining unlimited privileges?
– steeldriver
yesterday
2
Possible duplicate of How to give permissions to specific command?
– Olorin
yesterday
@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.
– BarBar1234
yesterday
@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.
– Olorin
yesterday
@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.
– BarBar1234
23 hours ago
Hmm... and what would stop them from resetting the password for
root
(or for any unrestricted sudoer) and thereby gaining unlimited privileges?– steeldriver
yesterday
Hmm... and what would stop them from resetting the password for
root
(or for any unrestricted sudoer) and thereby gaining unlimited privileges?– steeldriver
yesterday
2
2
Possible duplicate of How to give permissions to specific command?
– Olorin
yesterday
Possible duplicate of How to give permissions to specific command?
– Olorin
yesterday
@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.
– BarBar1234
yesterday
@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.
– BarBar1234
yesterday
@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.
– Olorin
yesterday
@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.
– Olorin
yesterday
@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.
– BarBar1234
23 hours ago
@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.
– BarBar1234
23 hours ago
add a comment |
1 Answer
1
active
oldest
votes
First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo
as soon as possible because they have full access to the system until removed from sudo.
Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.
Obviously you cannot allow this user to have unrestricted access to
passwd
because then there will be nothing stopping him frompasswd root
.However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:
You have a power user named fakeboss
that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/
that only his group and sudo can access.
A root creates a basic user named user1
, and a script that will have read and execute permission only called user1pw.sh
with:
chmod 755 user1pw.sh
and puts it in /usr/local/fakeboss/
inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)
#!/bin/bash
filtered=echo $1 | tr -d '[:cntrl:]'
echo "user1:$filtered" | chpasswd
echo "You just reset password for user1"
then in /etc/sudoers
root adds
fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh
as well as /usr/local/fakeboss/
to the secure_path line in /etc/sudoers
you top it off with an alias for fakeboss
alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'
and they now can change user1
password to a new one they send as argument with lets say:
user1pw IamYourBoss!
which will set user1 password to IamYourBoss!
and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss
. More importantly, fakeboss
has no access to the password reset scripts as they are unwriteable and has no passwd
permissions nor any sudo
permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root
stating that user1
had their password reset at this and this time for security and integrity.
I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd
.
Edit: Added input filtering,
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Kayenine is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1123659%2fubuntu-limit-sudo-user-to-password-reset-only%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo
as soon as possible because they have full access to the system until removed from sudo.
Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.
Obviously you cannot allow this user to have unrestricted access to
passwd
because then there will be nothing stopping him frompasswd root
.However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:
You have a power user named fakeboss
that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/
that only his group and sudo can access.
A root creates a basic user named user1
, and a script that will have read and execute permission only called user1pw.sh
with:
chmod 755 user1pw.sh
and puts it in /usr/local/fakeboss/
inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)
#!/bin/bash
filtered=echo $1 | tr -d '[:cntrl:]'
echo "user1:$filtered" | chpasswd
echo "You just reset password for user1"
then in /etc/sudoers
root adds
fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh
as well as /usr/local/fakeboss/
to the secure_path line in /etc/sudoers
you top it off with an alias for fakeboss
alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'
and they now can change user1
password to a new one they send as argument with lets say:
user1pw IamYourBoss!
which will set user1 password to IamYourBoss!
and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss
. More importantly, fakeboss
has no access to the password reset scripts as they are unwriteable and has no passwd
permissions nor any sudo
permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root
stating that user1
had their password reset at this and this time for security and integrity.
I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd
.
Edit: Added input filtering,
add a comment |
First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo
as soon as possible because they have full access to the system until removed from sudo.
Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.
Obviously you cannot allow this user to have unrestricted access to
passwd
because then there will be nothing stopping him frompasswd root
.However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:
You have a power user named fakeboss
that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/
that only his group and sudo can access.
A root creates a basic user named user1
, and a script that will have read and execute permission only called user1pw.sh
with:
chmod 755 user1pw.sh
and puts it in /usr/local/fakeboss/
inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)
#!/bin/bash
filtered=echo $1 | tr -d '[:cntrl:]'
echo "user1:$filtered" | chpasswd
echo "You just reset password for user1"
then in /etc/sudoers
root adds
fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh
as well as /usr/local/fakeboss/
to the secure_path line in /etc/sudoers
you top it off with an alias for fakeboss
alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'
and they now can change user1
password to a new one they send as argument with lets say:
user1pw IamYourBoss!
which will set user1 password to IamYourBoss!
and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss
. More importantly, fakeboss
has no access to the password reset scripts as they are unwriteable and has no passwd
permissions nor any sudo
permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root
stating that user1
had their password reset at this and this time for security and integrity.
I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd
.
Edit: Added input filtering,
add a comment |
First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo
as soon as possible because they have full access to the system until removed from sudo.
Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.
Obviously you cannot allow this user to have unrestricted access to
passwd
because then there will be nothing stopping him frompasswd root
.However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:
You have a power user named fakeboss
that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/
that only his group and sudo can access.
A root creates a basic user named user1
, and a script that will have read and execute permission only called user1pw.sh
with:
chmod 755 user1pw.sh
and puts it in /usr/local/fakeboss/
inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)
#!/bin/bash
filtered=echo $1 | tr -d '[:cntrl:]'
echo "user1:$filtered" | chpasswd
echo "You just reset password for user1"
then in /etc/sudoers
root adds
fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh
as well as /usr/local/fakeboss/
to the secure_path line in /etc/sudoers
you top it off with an alias for fakeboss
alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'
and they now can change user1
password to a new one they send as argument with lets say:
user1pw IamYourBoss!
which will set user1 password to IamYourBoss!
and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss
. More importantly, fakeboss
has no access to the password reset scripts as they are unwriteable and has no passwd
permissions nor any sudo
permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root
stating that user1
had their password reset at this and this time for security and integrity.
I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd
.
Edit: Added input filtering,
First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo
as soon as possible because they have full access to the system until removed from sudo.
Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.
Obviously you cannot allow this user to have unrestricted access to
passwd
because then there will be nothing stopping him frompasswd root
.However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:
You have a power user named fakeboss
that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/
that only his group and sudo can access.
A root creates a basic user named user1
, and a script that will have read and execute permission only called user1pw.sh
with:
chmod 755 user1pw.sh
and puts it in /usr/local/fakeboss/
inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)
#!/bin/bash
filtered=echo $1 | tr -d '[:cntrl:]'
echo "user1:$filtered" | chpasswd
echo "You just reset password for user1"
then in /etc/sudoers
root adds
fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh
as well as /usr/local/fakeboss/
to the secure_path line in /etc/sudoers
you top it off with an alias for fakeboss
alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'
and they now can change user1
password to a new one they send as argument with lets say:
user1pw IamYourBoss!
which will set user1 password to IamYourBoss!
and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss
. More importantly, fakeboss
has no access to the password reset scripts as they are unwriteable and has no passwd
permissions nor any sudo
permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root
stating that user1
had their password reset at this and this time for security and integrity.
I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd
.
Edit: Added input filtering,
edited 23 hours ago
answered yesterday
BarBar1234BarBar1234
42826
42826
add a comment |
add a comment |
Kayenine is a new contributor. Be nice, and check out our Code of Conduct.
Kayenine is a new contributor. Be nice, and check out our Code of Conduct.
Kayenine is a new contributor. Be nice, and check out our Code of Conduct.
Kayenine is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1123659%2fubuntu-limit-sudo-user-to-password-reset-only%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Hmm... and what would stop them from resetting the password for
root
(or for any unrestricted sudoer) and thereby gaining unlimited privileges?– steeldriver
yesterday
2
Possible duplicate of How to give permissions to specific command?
– Olorin
yesterday
@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.
– BarBar1234
yesterday
@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.
– Olorin
yesterday
@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.
– BarBar1234
23 hours ago