It's not possible to forbid an admin from changing the password of another admin if that first admin has full access to the system. You can try blocking access to /usr/bin/passwd with sudoers, but then the malicious admin could always copy the file to a new name and then run that.
Code:
%admin2 ALL=(ALL) PASSWD: /usr/bin/apt-get
That will allow any user in the group admin2 to install or remove software using apt-get. They will have to type their own password first. Then there is a period that they can continue to use sudo without a password until the timestamp_timeout interval is hit. See the manual page for sudoers(5) for the details, but the default is 15 minutes. If you change PASSWD: to NOPASSWD: then they can run the subsequent programs without needing to enter their own password.
In addition to specifying a program, you can limit the account to using specific options:
Code:
%helper ALL=(ALL) NOPASSWD: /sbin/ifconfig eth0 *
That would allow users in the group helper to run ifconfig but only when working with eth0.
Bookmarks