[rsbac] How to secure passwd/shadow ?
Amon Ott
ao at rsbac.org
Wed Oct 29 17:03:02 MET 2003
On Wednesday, 29. October 2003 15:34, Patrique Wolfrum wrote:
> In order to secure the 'security officer'-account I want to prevent 'root'
from changing the account password. After reading in the RSBAC-library
(http://books.rsbac.org/unstable/x423.html) I tried to protect the files
/etc/passwd and /etc/shadow via a new RC_FD 'Password files', which was only
accessible for one user. This user should then be used only for setting
passwords (the 'Password-Administrator').
> The problem is now the program 'passwd' since it only allows 'root' to set
or reset the passwords for other users.
>
> On my test-system I tried it with changing the CAP-settings for a
test-user, but passwd still complained, that the user is not authorized to
change the password (=shadow data).
>
> Is there a way to convince passwd, that also another user besides root can
set other users passwords ?
usermod might do the job for you. You can also keep passwd suid root, this
only changes the effective uid and does not influence RSBAC rights directly.
If you also set an RC type for the passwd program, you can select who may
execute it.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list