Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password change 1

Status
Not open for further replies.

Consty

Technical User
May 1, 2003
44
CM
Hi,
I would like to write a small C program under unix (Aix)
which will allow the runner to take the identity of root
when launched (suid) and change the password of any user
(passwd) except root.
Any help ?
Thanks
 
The quick and easy way to do this is to use sudo.
If you want to do this in C there's a version on the Bull free software site but it only works for AIX 4.3. I tried to convert it to work under AIX 5.1 but gave up when I realised I was spending too much time when a sudo based answer was available.

Columb Healy
Living with a seeker after the truth is infinitely preferable to living with one who thinks they've found it.
 
Thanks,
I heard about sudo but I didn't try it because I thought that a user typing "$sudo passwd root" could change root password. Is that right ?
 
Sudo can control which users can run which commands down to a very fine level.

The sudo documentation describes, as an example, how to do exactly what you require. On our system a limited number of people (Help Desk operators) can only change passwords for user ids in the form b12345, g45678 etc. which stops them changing passwords for any power users.

Sudo is far more than that though. Since installing it I've become a big fan. Our help desk can not only change passwords but also manage printers in a way that is secure, strictly limited to listed users and, above all, logged.

Another example - our developers need to run topas to do performance monitoring. topas needs root priviledges to be able to read system memory. Using sudo a limited list of developers can run topas.

Check the web site - - It will repay you (and you can win points with your security team!)



Columb Healy
Living with a seeker after the truth is infinitely preferable to living with one who thinks they've found it.
 
Thanks a lot Colomb, I'll try it.
 
Please, just one precision, Colomb,
In you example, Help Desk Operators can change password of
users like b12345, g45678 and so on. In my case, I would
like a person to create new final users using their names and fix their password as root, without being able to change
root or any other administrative user password.
Thanks
 
Sorry - I was away yesterday afternoon (dentist)
From the sudoers (sudo control file) man page
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

The user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple usernames on the command line.

Columb Healy
Living with a seeker after the truth is infinitely preferable to living with one who thinks they've found it.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top