[rsbac] How to secure passwd/shadow ?
Patrique Wolfrum
Patrique.Wolfrum at vwl.uni-freiburg.de
Wed Oct 29 15:34:50 MET 2003
Hello,
In order to secure the 'security officer'-account I want to prevent 'root' from changing the account password. After reading in the RSBAC-library (http://books.rsbac.org/unstable/x423.html) I tried to protect the files /etc/passwd and /etc/shadow via a new RC_FD 'Password files', which was only accessible for one user. This user should then be used only for setting passwords (the 'Password-Administrator').
The problem is now the program 'passwd' since it only allows 'root' to set or reset the passwords for other users.
On my test-system I tried it with changing the CAP-settings for a test-user, but passwd still complained, that the user is not authorized to change the password (=shadow data).
Is there a way to convince passwd, that also another user besides root can set other users passwords ?
Or are there other utilities, that I could use for that task ?
Thank you very much in advance.
With best regards.
Patrique Wolfrum
More information about the rsbac
mailing list