Ubuntu Limit sudo user to password reset only












1















I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.



I know how to block certain access, but how would I block everything but passwd.










share|improve this question









New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • Hmm... and what would stop them from resetting the password for root (or for any unrestricted sudoer) and thereby gaining unlimited privileges?

    – steeldriver
    yesterday






  • 2





    Possible duplicate of How to give permissions to specific command?

    – Olorin
    yesterday











  • @Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.

    – BarBar1234
    yesterday











  • @BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.

    – Olorin
    yesterday











  • @Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.

    – BarBar1234
    23 hours ago
















1















I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.



I know how to block certain access, but how would I block everything but passwd.










share|improve this question









New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • Hmm... and what would stop them from resetting the password for root (or for any unrestricted sudoer) and thereby gaining unlimited privileges?

    – steeldriver
    yesterday






  • 2





    Possible duplicate of How to give permissions to specific command?

    – Olorin
    yesterday











  • @Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.

    – BarBar1234
    yesterday











  • @BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.

    – Olorin
    yesterday











  • @Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.

    – BarBar1234
    23 hours ago














1












1








1








I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.



I know how to block certain access, but how would I block everything but passwd.










share|improve this question









New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I would like to limit one of my sudo users to only be able to reset a users password. I do not want them to have any other administrative privileges but that.



I know how to block certain access, but how would I block everything but passwd.







14.04 server sudo






share|improve this question









New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









MatsK

533214




533214






New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









KayenineKayenine

83




83




New contributor




Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Kayenine is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • Hmm... and what would stop them from resetting the password for root (or for any unrestricted sudoer) and thereby gaining unlimited privileges?

    – steeldriver
    yesterday






  • 2





    Possible duplicate of How to give permissions to specific command?

    – Olorin
    yesterday











  • @Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.

    – BarBar1234
    yesterday











  • @BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.

    – Olorin
    yesterday











  • @Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.

    – BarBar1234
    23 hours ago



















  • Hmm... and what would stop them from resetting the password for root (or for any unrestricted sudoer) and thereby gaining unlimited privileges?

    – steeldriver
    yesterday






  • 2





    Possible duplicate of How to give permissions to specific command?

    – Olorin
    yesterday











  • @Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.

    – BarBar1234
    yesterday











  • @BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.

    – Olorin
    yesterday











  • @Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.

    – BarBar1234
    23 hours ago

















Hmm... and what would stop them from resetting the password for root (or for any unrestricted sudoer) and thereby gaining unlimited privileges?

– steeldriver
yesterday





Hmm... and what would stop them from resetting the password for root (or for any unrestricted sudoer) and thereby gaining unlimited privileges?

– steeldriver
yesterday




2




2





Possible duplicate of How to give permissions to specific command?

– Olorin
yesterday





Possible duplicate of How to give permissions to specific command?

– Olorin
yesterday













@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.

– BarBar1234
yesterday





@Olorin That would be a decisive NO! Kayenine is asking about giving a non-administrative user permissions to execute a very specific administrative all-powerful command that virtually allows for unlimited access to the system.

– BarBar1234
yesterday













@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.

– Olorin
yesterday





@BarBar1234 "all-powerful command that virtually allows for unlimited access to the system" has been addressed already by steeldriver. The facts of the question still make it a duplicate, irrespective of what the command does.

– Olorin
yesterday













@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.

– BarBar1234
23 hours ago





@Kayenine please take a look at the extra line I added to the script file that removes all control characters before they get passed to the chpasswd command.

– BarBar1234
23 hours ago










1 Answer
1






active

oldest

votes


















0














First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo as soon as possible because they have full access to the system until removed from sudo.



Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.




  1. Obviously you cannot allow this user to have unrestricted access to passwd because then there will be nothing stopping him from passwd root .


  2. However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:



You have a power user named fakeboss that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/ that only his group and sudo can access.



A root creates a basic user named user1, and a script that will have read and execute permission only called user1pw.sh with:



chmod 755 user1pw.sh and puts it in /usr/local/fakeboss/



inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)



#!/bin/bash
filtered=echo $1 | tr -d '[:cntrl:]'
echo "user1:$filtered" | chpasswd
echo "You just reset password for user1"


then in /etc/sudoers root adds




fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh

as well as /usr/local/fakeboss/ to the secure_path line in /etc/sudoers



you top it off with an alias for fakeboss

alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'

and they now can change user1 password to a new one they send as argument with lets say:



user1pw IamYourBoss!



which will set user1 password to IamYourBoss!



and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss. More importantly, fakeboss has no access to the password reset scripts as they are unwriteable and has no passwd permissions nor any sudo permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root stating that user1 had their password reset at this and this time for security and integrity.



I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd.



Edit: Added input filtering,






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Kayenine is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1123659%2fubuntu-limit-sudo-user-to-password-reset-only%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo as soon as possible because they have full access to the system until removed from sudo.



    Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.




    1. Obviously you cannot allow this user to have unrestricted access to passwd because then there will be nothing stopping him from passwd root .


    2. However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:



    You have a power user named fakeboss that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/ that only his group and sudo can access.



    A root creates a basic user named user1, and a script that will have read and execute permission only called user1pw.sh with:



    chmod 755 user1pw.sh and puts it in /usr/local/fakeboss/



    inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)



    #!/bin/bash
    filtered=echo $1 | tr -d '[:cntrl:]'
    echo "user1:$filtered" | chpasswd
    echo "You just reset password for user1"


    then in /etc/sudoers root adds




    fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh

    as well as /usr/local/fakeboss/ to the secure_path line in /etc/sudoers



    you top it off with an alias for fakeboss

    alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'

    and they now can change user1 password to a new one they send as argument with lets say:



    user1pw IamYourBoss!



    which will set user1 password to IamYourBoss!



    and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss. More importantly, fakeboss has no access to the password reset scripts as they are unwriteable and has no passwd permissions nor any sudo permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root stating that user1 had their password reset at this and this time for security and integrity.



    I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd.



    Edit: Added input filtering,






    share|improve this answer






























      0














      First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo as soon as possible because they have full access to the system until removed from sudo.



      Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.




      1. Obviously you cannot allow this user to have unrestricted access to passwd because then there will be nothing stopping him from passwd root .


      2. However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:



      You have a power user named fakeboss that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/ that only his group and sudo can access.



      A root creates a basic user named user1, and a script that will have read and execute permission only called user1pw.sh with:



      chmod 755 user1pw.sh and puts it in /usr/local/fakeboss/



      inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)



      #!/bin/bash
      filtered=echo $1 | tr -d '[:cntrl:]'
      echo "user1:$filtered" | chpasswd
      echo "You just reset password for user1"


      then in /etc/sudoers root adds




      fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh

      as well as /usr/local/fakeboss/ to the secure_path line in /etc/sudoers



      you top it off with an alias for fakeboss

      alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'

      and they now can change user1 password to a new one they send as argument with lets say:



      user1pw IamYourBoss!



      which will set user1 password to IamYourBoss!



      and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss. More importantly, fakeboss has no access to the password reset scripts as they are unwriteable and has no passwd permissions nor any sudo permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root stating that user1 had their password reset at this and this time for security and integrity.



      I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd.



      Edit: Added input filtering,






      share|improve this answer




























        0












        0








        0







        First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo as soon as possible because they have full access to the system until removed from sudo.



        Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.




        1. Obviously you cannot allow this user to have unrestricted access to passwd because then there will be nothing stopping him from passwd root .


        2. However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:



        You have a power user named fakeboss that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/ that only his group and sudo can access.



        A root creates a basic user named user1, and a script that will have read and execute permission only called user1pw.sh with:



        chmod 755 user1pw.sh and puts it in /usr/local/fakeboss/



        inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)



        #!/bin/bash
        filtered=echo $1 | tr -d '[:cntrl:]'
        echo "user1:$filtered" | chpasswd
        echo "You just reset password for user1"


        then in /etc/sudoers root adds




        fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh

        as well as /usr/local/fakeboss/ to the secure_path line in /etc/sudoers



        you top it off with an alias for fakeboss

        alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'

        and they now can change user1 password to a new one they send as argument with lets say:



        user1pw IamYourBoss!



        which will set user1 password to IamYourBoss!



        and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss. More importantly, fakeboss has no access to the password reset scripts as they are unwriteable and has no passwd permissions nor any sudo permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root stating that user1 had their password reset at this and this time for security and integrity.



        I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd.



        Edit: Added input filtering,






        share|improve this answer















        First of all, if you are even considering restricting admin privileges of any user you should first do sudo gpasswd -d [username] sudo as soon as possible because they have full access to the system until removed from sudo.



        Now, there is a way to allow this type of task, but it still is very dangerous and problematic and can lead to disasterous situations.




        1. Obviously you cannot allow this user to have unrestricted access to passwd because then there will be nothing stopping him from passwd root .


        2. However, you still want to give him access to reset passwords of users not belonging to administrative group. This is a strategy I can think of:



        You have a power user named fakeboss that will be resetting passwords for users. You make him a special folder, lets call it /usr/local/fakeboss/ that only his group and sudo can access.



        A root creates a basic user named user1, and a script that will have read and execute permission only called user1pw.sh with:



        chmod 755 user1pw.sh and puts it in /usr/local/fakeboss/



        inside the script root writes, ($1 is the new password argument passed, and I checked it quickly but most piping of other commands either resulted in permission denied or changed user1 password to the piped string, but still I would need to double check this part)



        #!/bin/bash
        filtered=echo $1 | tr -d '[:cntrl:]'
        echo "user1:$filtered" | chpasswd
        echo "You just reset password for user1"


        then in /etc/sudoers root adds




        fakeboss ALL = NOPASSWD: /usr/local/fakeboss/user1pw.sh

        as well as /usr/local/fakeboss/ to the secure_path line in /etc/sudoers



        you top it off with an alias for fakeboss

        alias user1pw ='sudo /usr/local/fakeboss/user1pw.sh'

        and they now can change user1 password to a new one they send as argument with lets say:



        user1pw IamYourBoss!



        which will set user1 password to IamYourBoss!



        and this tactic can be implemented for all users chosen by root, and these users will be able to have their passwords unlocked by fakeboss. More importantly, fakeboss has no access to the password reset scripts as they are unwriteable and has no passwd permissions nor any sudo permissions beyond these password reset scripts. One last thing I would add is certainly some serious logging mechanism as well perhaps system message sent to root stating that user1 had their password reset at this and this time for security and integrity.



        I wrote this quickly and might have missed a detail or two but this is certainly way safer than allowing a user pseudo-sudo user unrestricted access to passwd.



        Edit: Added input filtering,







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 23 hours ago

























        answered yesterday









        BarBar1234BarBar1234

        42826




        42826






















            Kayenine is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Kayenine is a new contributor. Be nice, and check out our Code of Conduct.













            Kayenine is a new contributor. Be nice, and check out our Code of Conduct.












            Kayenine is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1123659%2fubuntu-limit-sudo-user-to-password-reset-only%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            數位音樂下載

            When can things happen in Etherscan, such as the picture below?

            格利澤436b