[rsbac] prevent secoff password change by root
Bencsath Boldizsar
boldi at mail2005.etl.hu
Thu Aug 3 23:13:07 CEST 2006
e.g.
you make a special role "user admin" who is able to change passwords,
while other users including 'normal root' is not able to run passwd
command, or only 'system administrator' (root) is not able to run passwd.
Yes, this means that 'user admin' can change the password of secoff.
next tip: you disable to su or sudo to secoff, only accept ssh'ing to
secoff with rsa key from outside machine. This way it does not really
count if a root can change the password of secoff.
So there is no simple solution but you can manage to make your own way to
protect secoff..
On Tue, 1 Aug 2006, Tamas Orosz wrote:
> Dear list,
>
> Can I prevent to change secoff's password by the root? To specify: all
> another user password change must be allowed by root, except the
> secoff's password. I could not set up that (I use the "normal" PAM,
> not the rsbac-um). Can the rsbac-um solve my problem, or another ideas?
>
> Thanks,
> Tamas
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
>
>
More information about the rsbac
mailing list