From owner-freebsd-questions  Tue Jul 20 20:58:50 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 3151E14FA5
	for <questions@FreeBSD.ORG>; Tue, 20 Jul 1999 20:58:47 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id XAA07371;
	Tue, 20 Jul 1999 23:59:09 -0400 (EDT)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199907210359.XAA07371@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: passwd
In-Reply-To: <Pine.BSF.4.10.9907191633090.26046-100000@wank.necropolis.org> from Todd Backman at "Jul 19, 99 04:35:37 pm"
To: todd@wank.necropolis.org (Todd Backman)
Date: Tue, 20 Jul 1999 23:59:09 -0400 (EDT)
Cc: jonc@pinnacle.co.nz, questions@FreeBSD.ORG
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Todd Backman wrote,
> 
> We can't. Reinstalling would take effort and we just don't want the
> customer to possibly "fat-finger" the passwd for 'toor'...
> 
> Thanks.
> 
> 
> On Tue, 20 Jul 1999, Jonathan Chen wrote:
> 
> > On Mon, 19 Jul 1999, Todd Backman wrote:
> > 
> > > 
> > > Is there any way to hack FreeBSD's passwd utility to dis-allow root from
> > > changing toor's passwd? I have approx. 15 boxen for external customers
> > > that I would like to passwd 'toor' so our NOC people do not have to know
> > > root for each customer. Customers can have thier own root passwd and the
> > > NOC folk can have 'toor' for reboots and such. We *do not* want root to be
> > > able to change toor's passwd... 
> > 
> > If they have root privileges, how can you prevent them from
> > reinstalling the original passwd program?

How about a really quick and dirty patch to the passwd.c program?

*** passwd.c.orig       Fri Aug  1 02:39:47 1997
--- passwd.c    Tue Jul 20 23:50:32 1999
***************
*** 172,177 ****
--- 172,180 ----
                usage();
        }
  
+       if (!strcmp(uname,"toor"))
+         err(2,"Cannot change toor's passwd");
+ 
  #ifdef YP
        /*
         * If NIS is turned on in the password database, use it, else punt.

As was mentioned, if they still have root, they can replace the
executable with the correct one. What's more likely is they muck up
the passwd files directly with vipw.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message