Other sudo/doas help

zader

Active Member

Reaction score: 28
Messages: 215

Hi All,


just wondering if anyone knows the correct way to create a sudo or doas negation in lists policy (or another way) maybe alias or suid .. etc..

what Im trying to accomplish is ..

I have 1 root account
3 admins in the operator group

the admins do their daily work with sudo/doas and everything is great..

the problem is any one of the admins can issue a password reset / change for the root account..

my goal is to allow them to run passwd for users, or them self’s but disallow them to change the root password..

thanks!

guessing the proper way would include suid, alias or negotiation list.. but not sure what the best way to go about it is.. or should I just add mfa to the passwd command and controll access that way?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,724
Messages: 39,312

Something like this for sudo?

Code:
Cmnd_Alias ALLOWPASSWD = !/usr/bin/passwd, !/usr/bin/passwd root, /usr/bin/passwd *

myadmin1 ALL=(ALL) ALLOWPASSWD

There are probably ways to circumvent it but this should give you a rough idea.
 
OP
Z

zader

Active Member

Reaction score: 28
Messages: 215

thanks guys i can work with that..

cheers
 
Top