[rsbac] passwd

Amon Ott ao at rsbac.org
Fri Jul 25 10:24:38 MEST 2003


On Friday, 25. July 2003 08:43, polish wrote:
>   How did you resolve access to /etc/passwd and /etc/shadow. I would like
> to create new user X, who can change password to everyone. And root can't
> change password. I find a some standard solution of this problem.

passwd and shadow are tricky, because they get deleted and recreated with 
every change. What I would do is make a wrapper script, which

- is the only one allowed to write access these files (RC initial role)
- may only be executed by the specified user (extra user role and passwd-exe 
type)
- has a sensible default_fd_create_type, e.g. passwd-type
- corrects the types of the files after the change (because passwd and shadow 
usually need different types)

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22


More information about the rsbac mailing list