[rsbac] How to secure passwd/shadow ?

Patrique Wolfrum Patrique.Wolfrum at vwl.uni-freiburg.de
Wed Oct 29 15:34:50 MET 2003


In order to secure the 'security officer'-account I want to prevent 'root' from changing the account password. After reading in the RSBAC-library (http://books.rsbac.org/unstable/x423.html) I tried to protect the files /etc/passwd and /etc/shadow via a new RC_FD 'Password files', which was only accessible for one user. This user should then be used only for setting passwords (the 'Password-Administrator').
The problem is now the program 'passwd' since it only allows 'root' to set or reset the passwords for other users.

On my test-system I tried it with changing the CAP-settings for a test-user, but passwd still complained, that the user is not authorized to change the password (=shadow data).

Is there a way to convince passwd, that also another user besides root can set other users passwords ?
Or are there other utilities, that I could use for that task ?

Thank you very much in advance.

With best regards.
    Patrique Wolfrum

More information about the rsbac mailing list