[rsbac] prevent secoff password change by root

Bencsath Boldizsar boldi at mail2005.etl.hu
Thu Aug 3 23:13:07 CEST 2006

you make a special role "user admin" who is able to change passwords, 
while other users including 'normal root' is not able to run passwd 
command, or only 'system administrator' (root) is not able to run passwd.
Yes, this means that 'user admin' can change the password of secoff.

next tip: you disable to su or sudo to secoff, only accept ssh'ing to 
secoff with rsa key from outside machine. This way it does not really 
count if a root can change the password of secoff.

So there is no simple solution but you can manage to make your own way to 
protect secoff..

On Tue, 1 Aug 2006, Tamas Orosz wrote:

> Dear list,
> Can I prevent to change secoff's password by the root? To specify: all
> another user password change must be allowed by root, except the
> secoff's password. I could not set up that (I use the "normal" PAM,
> not the rsbac-um). Can the rsbac-um solve my problem, or another ideas?
> Thanks,
> Tamas
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list