[rsbac] passwd
Amon Ott
ao at rsbac.org
Fri Jul 25 10:24:38 MEST 2003
On Friday, 25. July 2003 08:43, polish wrote:
> How did you resolve access to /etc/passwd and /etc/shadow. I would like
> to create new user X, who can change password to everyone. And root can't
> change password. I find a some standard solution of this problem.
passwd and shadow are tricky, because they get deleted and recreated with
every change. What I would do is make a wrapper script, which
- is the only one allowed to write access these files (RC initial role)
- may only be executed by the specified user (extra user role and passwd-exe
type)
- has a sensible default_fd_create_type, e.g. passwd-type
- corrects the types of the files after the change (because passwd and shadow
usually need different types)
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list