From owner-freebsd-questions  Fri Jul 18 11:37:52 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA08755
          for questions-outgoing; Fri, 18 Jul 1997 11:37:52 -0700 (PDT)
Received: from radford.i-plus.net (root@Radford.i-Plus.net [206.99.237.6])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA08729
          for <questions@FreeBSD.ORG>; Fri, 18 Jul 1997 11:37:41 -0700 (PDT)
Received: from totally.fuckin.nutty.net (insane@totally.fuckin.nutty.net [206.99.237.44])
	by radford.i-plus.net (8.8.6/8.8.5) with SMTP id OAA03111;
	Fri, 18 Jul 1997 14:36:21 -0400 (EDT)
Message-Id: <199707181836.OAA03111@radford.i-plus.net>
X-Mailer: Microsoft Outlook Express 4.71.0544.0
From: "Troy Settle" <rewt@i-Plus.net>
To: "Justin Ashworth" <ashworth@esus.cs.montana.edu>
Cc: <questions@FreeBSD.ORG>
Subject: Re: Change another user's password?
Date: Fri, 18 Jul 1997 14:40:08 -0400
X-Priority: 3
X-MSMail-Priority: Normal
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-MimeOLE: Produced By Microsoft MimeOLE Engine V4.71.0544.0
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

From: Justin Ashworth <ashworth@esus.cs.montana.edu>
>  This is where I was unclear in my previous message. I know it's
possible
>to su to different users, but these users cannot change their own
>passwords because of their restricted shells, making the script also
>incapable of changing the user's password by logging in as that user.
>Ideally the script will be run as setuid chpasswd, a dummy user with
shell
>access (vs. running as nobody...who has no shell access), to change the
>password. Even if I have chpasswd su to root, when I run passwd I won't
be
>prompted for the old password before entering a new one. This is where I
>run into the problem of any user being able to change another user's
>password. So...if I can get the chpasswd user to change another user's
>password, I will be set. Can it be done?

What is the nature of these restricted shells?

At one time, I had a simple script as the shell, allowing users to do
simple things, or even run a regular shell.  Since then, I've grown a
little more paranoid, and have changed everyone's shell to /usr/bin/passwd.
 Now, when they telnet to the mail server, all they are able to do, is
change their password.  Shell access is provided on another machine that's
kept isolated from the rest of the network.

Troy Settle <st@i-Plus.net>
Network Administrator, iPlus Internet Services
http://www.i-Plus.net