[rsbac] How to secure passwd/shadow ?

Dmitry V. Levin ldv at altlinux.org
Wed Oct 29 18:14:47 MET 2003

On Wed, Oct 29, 2003 at 03:34:50PM +0100, Patrique Wolfrum wrote:
> In order to secure the 'security officer'-account I want to prevent 'root' from changing the account password. After reading in the RSBAC-library (http://books.rsbac.org/unstable/x423.html) I tried to protect the files /etc/passwd and /etc/shadow via a new RC_FD 'Password files', which was only accessible for one user. This user should then be used only for setting passwords (the 'Password-Administrator').
> The problem is now the program 'passwd' since it only allows 'root' to set or reset the passwords for other users.
> On my test-system I tried it with changing the CAP-settings for a test-user, but passwd still complained, that the user is not authorized to change the password (=shadow data).
> Is there a way to convince passwd, that also another user besides root can set other users passwords ?
> Or are there other utilities, that I could use for that task ?

You may wish to have a look at alternative password shadowing scheme which
solves this issue, see http://www.openwall.com/tcb/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://gateway.compuniverse.de/pipermail/rsbac/attachments/20031029/532a8941/attachment.bin

More information about the rsbac mailing list