Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: How to allow an admin to do everything except changing password of another admin : Ub

  1. #1
    Join Date
    Jun 2013
    Beans
    6

    Question How to allow an admin to do everything except changing password of another admin : Ub

    Hi everyone,

    I need some help about Ubuntu 12.04.

    I would like to make some "levels" for a multi-session Ubuntu PC. For example, having 3 groups :
    • Admin 0 // Contents the first one who has been created and has the right to be root
    • Admin 1 // The second one, has the right to do everything (root) but not changing password of the one who is in the Admin 0 group
    • Admin 2 // Those in this group are only allow to install. Their passwords should be changed by those who are in Admin 1


    After some searches, i've found that it's possible to allow or to forbid a group to do something with visudo, editing the sudoers file. And my Admin 0 refers to the %admin of this sudoers file.

    Nevertheless, i don't know which command adding.

    I would like to add something like that :
    • %Admin 1 ALL = (root) PASSWD: /here the path to the file wich allows or not the modify password/



    What do you think about it? I don't know what is the file which is concerned in this case. Also, what should i had to allow the Admin 1 group to modify password of the Admin 2 group?


    Thanks for your answers.


    Nicolas
    Last edited by lisati; June 12th, 2013 at 10:07 AM. Reason: Edit formatting

  2. #2
    Join Date
    Sep 2006
    Beans
    8,281
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: How to allow an admin to do everything except changing password of another admin

    The level Admin1 can't really be achieved because it's not possible to select by negation in Sudo, only by inclusion. However, the level Admin 2 can be done easily by adding the right programs, at least for the text interface.

    Code:
    %admin2 ALL=(ALL) PASSWD: /usr/bin/apt-get
    Though there might be a way for them to get around that with 'apt-get -c' but that would require deliberate planning on their part and means you have a social problem not a technical problem.

    About which programs you need to add for the graphical Software Center, that's a bit harder to figure out.

  3. #3
    Join Date
    Jun 2013
    Beans
    6

    Re: How to allow an admin to do everything except changing password of another admin

    Hi Lars Noodén,

    Thanks a lot for your quick answer.
    So, if i understand well, it's not possible to forbid an admin to change the password of another admin?

    I thought that PASSWD was link to the ask of the password, so i write this command


    %admin2 ALL=(ALL) PASSWD: /usr/bin/apt-get

    That will ask a password for installing or that will just not ask one? And which password, the one of those who are trying to install, or an admin password?

  4. #4
    Join Date
    Sep 2006
    Beans
    8,281
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: How to allow an admin to do everything except changing password of another admin

    It's not possible to forbid an admin from changing the password of another admin if that first admin has full access to the system. You can try blocking access to /usr/bin/passwd with sudoers, but then the malicious admin could always copy the file to a new name and then run that.

    Code:
    %admin2 ALL=(ALL) PASSWD: /usr/bin/apt-get
    That will allow any user in the group admin2 to install or remove software using apt-get. They will have to type their own password first. Then there is a period that they can continue to use sudo without a password until the timestamp_timeout interval is hit. See the manual page for sudoers(5) for the details, but the default is 15 minutes. If you change PASSWD: to NOPASSWD: then they can run the subsequent programs without needing to enter their own password.

    In addition to specifying a program, you can limit the account to using specific options:

    Code:
    %helper ALL=(ALL) NOPASSWD: /sbin/ifconfig eth0 *
    That would allow users in the group helper to run ifconfig but only when working with eth0.

  5. #5
    Join Date
    Jun 2013
    Beans
    6

    Re: How to allow an admin to do everything except changing password of another admin

    I've thought about this solution to forbid the access to /usr/bin/passwd (but is it directly link to /etc/shadow ?). Nevertheless, i'll probably risk to not be able to connect with a member of the admin 1 group if he doesn't have the right to access to the password folder?

    Also, if they are in "sudo mode" (for the admin2 group), they are only able to install with an apt-get, but they're not able to do other things, no?

    Last, what is eth0??

    Perhaps, should i be able to forbid the admin1 group to launch the exec or file which allows to change a password?

  6. #6
    Join Date
    Sep 2006
    Beans
    8,281
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: How to allow an admin to do everything except changing password of another admin

    Quote Originally Posted by solarinside View Post
    I've thought about this solution to forbid the access to /usr/bin/passwd (but is it directly link to /etc/shadow ?).
    Then all they'd need to get around that is to copy /usr/bin/passwd to /usr/local/bin/chpassword and run that. Negation cannot work with sudo. You have to find rules that do what you want working inclusively.

    Quote Originally Posted by solarinside View Post
    Nevertheless, i'll probably risk to not be able to connect with a member of the admin 1 group if he doesn't have the right to access to the password folder?

    Also, if they are in "sudo mode" (for the admin2 group), they are only able to install with an apt-get, but they're not able to do other things, no?
    If the only program listed for their account is apt-get, then that's all they can run. If you want you can get very specific about which programs they actually can run and even which parameters and options they are allowed to use. Read the manual page for sudoers especially the section about "Wildcards"

    Quote Originally Posted by solarinside View Post
    Last, what is eth0??

    Perhaps, should i be able to forbid the admin1 group to launch the exec or file which allows to change a password?
    eth0 is the first ethernet interface, it's a common network interface found on connected systems and thus a good example.

  7. #7
    Join Date
    Jun 2013
    Beans
    6

    Re: How to allow an admin to do everything except changing password of another admin

    Well perhaps it's possible to forbid a member of the admin 1 to not copy /bin/password, isn't it?

  8. #8
    Join Date
    Sep 2006
    Beans
    8,281
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: How to allow an admin to do everything except changing password of another admin

    In addition to cp, there's tar, cpio, rsync, dump/restore, zip, gzip, bzip2, grsync, and many, many more. You'd then have to figure out all the combinations that would prevent running a copy of /usr/bin/passwd or /bin/su or overwriting /etc/shadow. It might be doable but the sudoers file would be thousands of lines long at least and one mistake would let loose the whole zoo. In practice it's not possible to use negation to control access with sudo. Better to use the honor system. Either they are reliable and worthy of full root, or else just give them access to specific individual programs one at a time.

  9. #9
    Join Date
    Jun 2013
    Beans
    6

    Re: How to allow an admin to do everything except changing password of another admin

    Ok, I see, very difficult!

    Someone has suggested me this command :


    %admin1 ALL = !/usr/bin/passwd

    But he is agree with the fact that if can't change the root password, it should be impossible for an admin1 to change the password of an admin2...

  10. #10
    Join Date
    Sep 2006
    Beans
    8,281
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: How to allow an admin to do everything except changing password of another admin

    Quote Originally Posted by solarinside View Post
    Someone has suggested me this command :
    %admin1 ALL = !/usr/bin/passwd
    That case is covered in the description above. Several ways around it:

    sudo /bin/bash
    passwd admin2

    Or

    sudo cp /usr/bin/passwd /usr/local/bin/passwd
    sudo /usr/local/bin/passwd admin2

    Or

    sudo su -c "passwd admin2"

    And so on and so forth.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •