>>>>> "Bish" == USM Bish <usmbish@...> writes:
Bish> On Tue, Mar 26, 2002 at 08:02:54PM +0530, R. K. Mehta wrote:
>> I want some particular users could not change their passwd.
>> how to do it? pl help.
Bish> AFAIK, no such switch has been built into
Bish> /usr/bin/passwd. In case you want a policy of having *ALL*
Bish> users having no direct access to passwd binary, and all have
Bish> to affect changes (if needed) through the sys-admin/
Bish> super-user, then move the file /usr/bin/passwd to /sbin, or
Bish> change permissions. Note, passwd binary normally has suid
Bish> bit set ( -rws--x--x ), and is owned by root.bin. I do not
Bish> think that you can deny access to /usr /bin/passwd for a
Bish> single (or specific) user.
You could do it by manipulating groups:
for i in <list of users permitted> ; do usermod -G pwgroup $i ; done
chgrp pwgroup /usr/bin/passwd
chmod 4510 /usr/bin/passwd
Now only users who have pwgroup as a supplementary group would be able
to use the passwd utility. Another possibility is to replace passwd
with a wrapper which checks the user ID before calling the original
program, but that's more of a hack and smells strongly of security by
obscurity (as does the idea of putting passwd in /sbin).
The ideal way to do it, of course, would be to add a PAM module.
Raju Mathur raju@... http://kandalaya.org/
It is the mind that moves