[rsbac] How to secure passwd/shadow ?

Amon Ott ao at rsbac.org
Wed Oct 29 17:03:02 MET 2003

On Wednesday, 29. October 2003 15:34, Patrique Wolfrum wrote:
> In order to secure the 'security officer'-account I want to prevent 'root' 
from changing the account password. After reading in the RSBAC-library 
(http://books.rsbac.org/unstable/x423.html) I tried to protect the files 
/etc/passwd and /etc/shadow via a new RC_FD 'Password files', which was only 
accessible for one user. This user should then be used only for setting 
passwords (the 'Password-Administrator').
> The problem is now the program 'passwd' since it only allows 'root' to set 
or reset the passwords for other users.
> On my test-system I tried it with changing the CAP-settings for a 
test-user, but passwd still complained, that the user is not authorized to 
change the password (=shadow data).
> Is there a way to convince passwd, that also another user besides root can 
set other users passwords ?

usermod might do the job for you. You can also keep passwd suid root, this 
only changes the effective uid and does not influence RSBAC rights directly.

If you also set an RC type for the passwd program, you can select who may 
execute it.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list