Date: Wed, 21 Jul 1999 14:32:34 +1000 From: "Andrew Johns" <A_Johns@TurnAround.com.au> To: <cjclark@home.com>, "Todd Backman" <todd@wank.necropolis.org> Cc: <jonc@pinnacle.co.nz>, <questions@FreeBSD.ORG> Subject: RE: passwd Message-ID: <001a01bed332$0d9d22e0$4001a8c0@tasajohns.turnaround.com.au> In-Reply-To: <199907210359.XAA07371@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Why not do the passwd binary change (as suggested below), then set /bin/passwd simmut, then up the securelevel to 2. That way they would not be able to put the original passwd exe back without a reboot... > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of > Crist J. Clark > Sent: Wednesday, 21 July 1999 13:59 > To: Todd Backman > Cc: jonc@pinnacle.co.nz; questions@FreeBSD.ORG > Subject: Re: passwd > > > Todd Backman wrote, > > > > We can't. Reinstalling would take effort and we just don't want the > > customer to possibly "fat-finger" the passwd for 'toor'... > > > > Thanks. > > > > > > On Tue, 20 Jul 1999, Jonathan Chen wrote: > > > > > On Mon, 19 Jul 1999, Todd Backman wrote: > > > > > > > > > > > Is there any way to hack FreeBSD's passwd utility to > dis-allow root from > > > > changing toor's passwd? I have approx. 15 boxen for > external customers > > > > that I would like to passwd 'toor' so our NOC people do > not have to know > > > > root for each customer. Customers can have thier own > root passwd and the > > > > NOC folk can have 'toor' for reboots and such. We *do > not* want root to be > > > > able to change toor's passwd... > > > > > > If they have root privileges, how can you prevent them from > > > reinstalling the original passwd program? > > How about a really quick and dirty patch to the passwd.c program? > > *** passwd.c.orig Fri Aug 1 02:39:47 1997 > --- passwd.c Tue Jul 20 23:50:32 1999 > *************** > *** 172,177 **** > --- 172,180 ---- > usage(); > } > > + if (!strcmp(uname,"toor")) > + err(2,"Cannot change toor's passwd"); > + > #ifdef YP > /* > * If NIS is turned on in the password database, use > it, else punt. > > As was mentioned, if they still have root, they can replace the > executable with the correct one. What's more likely is they muck up > the passwd files directly with vipw. > -- > Crist J. Clark cjclark@home.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001a01bed332$0d9d22e0$4001a8c0>