From owner-freebsd-questions Tue Jul 20 21:36: 3 1999 Delivered-To: freebsd-questions@freebsd.org Received: from WEBBSD1.turnaround.com.au (webbsd1.turnaround.com.au [203.39.138.49]) by hub.freebsd.org (Postfix) with ESMTP id D666315155 for ; Tue, 20 Jul 1999 21:35:58 -0700 (PDT) (envelope-from A_Johns@TurnAround.com.au) Received: from tasajohns (dhcp64.turnaround.com.au [192.168.1.64]) by WEBBSD1.turnaround.com.au (8.8.7/8.8.7) with SMTP id OAA28442; Wed, 21 Jul 1999 14:54:08 +1000 (EST) (envelope-from A_Johns@TurnAround.com.au) From: "Andrew Johns" To: , "Todd Backman" Cc: , Subject: RE: passwd Date: Wed, 21 Jul 1999 14:32:34 +1000 Message-ID: <001a01bed332$0d9d22e0$4001a8c0@tasajohns.turnaround.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-reply-to: <199907210359.XAA07371@cc942873-a.ewndsr1.nj.home.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Why not do the passwd binary change (as suggested below), then set /bin/passwd simmut, then up the securelevel to 2. That way they would not be able to put the original passwd exe back without a reboot... > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of > Crist J. Clark > Sent: Wednesday, 21 July 1999 13:59 > To: Todd Backman > Cc: jonc@pinnacle.co.nz; questions@FreeBSD.ORG > Subject: Re: passwd > > > Todd Backman wrote, > > > > We can't. Reinstalling would take effort and we just don't want the > > customer to possibly "fat-finger" the passwd for 'toor'... > > > > Thanks. > > > > > > On Tue, 20 Jul 1999, Jonathan Chen wrote: > > > > > On Mon, 19 Jul 1999, Todd Backman wrote: > > > > > > > > > > > Is there any way to hack FreeBSD's passwd utility to > dis-allow root from > > > > changing toor's passwd? I have approx. 15 boxen for > external customers > > > > that I would like to passwd 'toor' so our NOC people do > not have to know > > > > root for each customer. Customers can have thier own > root passwd and the > > > > NOC folk can have 'toor' for reboots and such. We *do > not* want root to be > > > > able to change toor's passwd... > > > > > > If they have root privileges, how can you prevent them from > > > reinstalling the original passwd program? > > How about a really quick and dirty patch to the passwd.c program? > > *** passwd.c.orig Fri Aug 1 02:39:47 1997 > --- passwd.c Tue Jul 20 23:50:32 1999 > *************** > *** 172,177 **** > --- 172,180 ---- > usage(); > } > > + if (!strcmp(uname,"toor")) > + err(2,"Cannot change toor's passwd"); > + > #ifdef YP > /* > * If NIS is turned on in the password database, use > it, else punt. > > As was mentioned, if they still have root, they can replace the > executable with the correct one. What's more likely is they muck up > the passwd files directly with vipw. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message