Other sudo/doas help

Hi All,


just wondering if anyone knows the correct way to create a sudo or doas negation in lists policy (or another way) maybe alias or suid .. etc..

what Im trying to accomplish is ..

I have 1 root account
3 admins in the operator group

the admins do their daily work with sudo/doas and everything is great..

the problem is any one of the admins can issue a password reset / change for the root account..

my goal is to allow them to run passwd for users, or them self’s but disallow them to change the root password..

thanks!

guessing the proper way would include suid, alias or negotiation list.. but not sure what the best way to go about it is.. or should I just add mfa to the passwd command and controll access that way?
 
Something like this for sudo?

Code:
Cmnd_Alias ALLOWPASSWD = !/usr/bin/passwd, !/usr/bin/passwd root, /usr/bin/passwd *

myadmin1 ALL=(ALL) ALLOWPASSWD

There are probably ways to circumvent it but this should give you a rough idea.
 
Back
Top