How to give a normal user permission to change root password
Solution 1
Don't do that... you can either give them root's password or you could execute sudo passwd root
(this assumes that sudo is set to use the users password or no password, and that passwd is a command that sudo has authorized to be run by that user).
Solution 2
sudo
is the swiss-army knife of customized permissions. You could ask the user
to run
sudo /usr/bin/passwd root
To see how this might be enabled, here's a related example from the sudoers(5) manpage.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyone's password except for root on the
HPPA machines. Note that this assumes passwd(1) does not take multiple
usernames on the command line.
You'll have to invert the logic to achieve your ends, of course. So, you would execute the visudo
, and add a line like
user ALL = /usr/bin/passwd root
to /etc/sudoers
.
Solution 3
If you don't trust the owner of the root account then there's probably no way to prevent that root user from removing this special permission. If you do trust the root user then just ask him for the current password.
Solution 4
Maybe you can add this line to the sudoer file (using visudo
), replacing phunehehe
with the username.
phunehehe localhost = NOPASSWD: /usr/bin/passwd
I don't know if that breaks your condition of a "normal user", though, because after that he/she has so much power.
EDIT: as per xenoterracide's comment :)
Solution 5
Can't he use run level 1 to change root password?
What I have in mind is
- Set grub password so that not every user can change the run level at boot time.
- This password is given to the normal user who might need to change root password in future.
- Now if needs arise to change the root password, he can modify grub parameters at boot time. Press 'a', give grub password and then give 1, so that machine boots into run level 1.
- Once in run level 1, he can change root password.
The obvious disadvantage of this procedure is that machine has to be rebooted and while its in run level 1, it will be offline.
Kindly mention the flaws that you find in this procedure.
Related videos on Youtube
Amree
Updated on September 17, 2022Comments
-
Amree over 1 year
Please do not ask why, but is it possible to do it?
p/s: I know it's not a good thing, let's just say someone from the top management who is computer illiterate want some sort of control over the server.
-
Kurt over 13 yearsDon't we have an 'evil' tag? :P
-
Dean Hill over 13 yearsCan't resist. Why?
-
Admin over 13 yearsgiving a user the right to change the root password is the same as giving them full root access, so why bother giving them "only" password-changing access?
-
ElBel over 13 yearsHe probably heard the story about the San Francisco network admin. It's not that stupid, if he can be trusted to use this power only in such an emergency.
-
Stefan over 13 years@starblue, what story of the San Francisco network admin?
-
msw over 13 yearsThis question is pretty meaningless without a why. It's much easier to create a SUID trojan shell and hide it someplace that looks reasonable but boring (this also works for hiding contraband from your parents, aurorius (without the SUID bit, which doesn't do much for contraband)).
-
ElBel over 13 years
-
imz -- Ivan Zakharyaschev almost 13 years@hop: I could imagine the following situation where there is a difference. What if someone else who has access to root changes root's password? Then, if you knew the old password, you don't have the access anymore. But if you still can change the password as another user, it's "ok". Of course, if the password change was intentional, the changer could also disable this user to a degree wished. Also, there are often other ways to overcome loosing the root's password, such booting another OS and mounting the partition, and changing the password then. Back to the Q a 2nd root (eg,toor) might work.
-
Admin almost 13 years@imz: you are confusing authorization with authentication. if the boss' authentication is not done via the root password, his authorization to do root stuff is not depending on him knowing the root password either.
-
imz -- Ivan Zakharyaschev almost 13 years@hop: yes, I agree with you. In my mind, I simplified "giving them full root access" to "giving them the password to authenticate themsleves as root" when I read your comment. If understood in the precise way, your words are not something that makes my comment relevant.
-
G-Man Says 'Reinstate Monica' over 2 yearsThere are two elephants in the room. (1) The smaller one is a question: How is the system configured? Is it configured to use both
sudo
andsu
? Ifsu
is disabled, what good does the root password do? And, if you don’t havesudo
enabled, that knocks out the best answer. (2) There’s a big, obvious difference between “giving them full root access” and this. With “full root access”, the person can do anything, any time, possibly without being detected. With this “change the password” hack, it will (probably) be obvious if they do it. … (Cont’d) -
G-Man Says 'Reinstate Monica' over 2 years(Cont’d) … (This gets back to elephant #1 — if everybody else uses
sudo
, will they notice if the root password has been changed? You could add a tripwire so all the regular sysadmins get notified when the manager does this.) It’s like having a locked door with a breakable window — you allow emergency access, but you make it obvious that the access has been taken. -
U. Windl over 2 yearsPlease explain "some sort of control "! You can have as many super-users as you like; they do not depend on the name
root
but on the UID0
. Let the slaughter begin ;-)
-
-
xenoterracide over 13 yearsI don't know why you'd think he'd need this. He didn't ask you to make it passwordless. why reduce the security of the system more than necessary if you're doing anyting like this it should be
user localhost = NOPASSWD: /usr/bin/passwd
which would limit the security accesss to just that. -
G-Man Says 'Reinstate Monica' over 2 years(1) This is wordy and unclear. (2) More importantly, it more-or-less duplicates a couple of old answers without explaining the differences. Is your answer better than the others? If so, why? (3) Please don’t tell people to edit their
/etc/sudoers
file withecho
and>>
. -
G-Man Says 'Reinstate Monica' over 2 yearsWhat does “the owner of the root account” mean? Are you suggesting that Ralph Oot might be given the username “root” (like in the current TV commercial, where the robot goes to a coffee shop, and the barista labels his cup “Rob Ott”)? (Believe it or not, I wrote this comment before I took a good look at your identicon image.)
-
G-Man Says 'Reinstate Monica' over 2 yearsBut you and I seem to be interpreting this question in totally different ways. You seem to believe that it’s about protecting the system against a rogue sysadmin who might change the root password and not tell anybody the new password. I believe that it’s about giving a manager immediate emergency access to root privilege at off-hours, without needing to bother anybody immediately.
-
potsed over 2 years@g-man the only control you have is trust. If you trust your admins, they can set up a system that provides enough access control, like sharing the root password or adding a certain user to sudoers. But if you don't trust your admins there's nothing you can do to stop them from messing up your system. Hence just sharing the root password. 12 years later I would add "design your network with disaster recovery including losing access to certain accounts or systems" but ultimately there are some keys which need to be shared.