As far as I can tell, a user cannot become any user or escalate their privileges until they create a password:
Create and configure zfoo and zbar users: root@yoda:~# useradd -m zfoo root@yoda:~# useradd -m zbar root@yoda:~# passwd -d zbar passwd: password expiry information changed. root@yoda:~# grep z /etc/shadow zfoo:!:17036:0:99999:7::: zbar::17036:0:99999:7::: root@yoda:~# grep %sudo /etc/sudoers %sudo ALL=(ALL:ALL) ALL root@yoda:~# usermod -aG sudo zbar root@yoda:~# id zbar uid=1005(zbar) gid=1005(zbar) groups=1005(zbar),27(sudo) Become zfoo and try to become zbar: root@yoda:~# su - zfoo zfoo@yoda:~$ su - zbar Password: su: Authentication failure zfoo@yoda:~$ exit logout Become zbar and try to become zbar: root@yoda:~# su - zbar zbar@yoda:~$ su - zbar Password: su: Authentication failure Try to run sudo as zbar: zbar@yoda:~$ sudo id [sudo] password for zbar: Sorry, try again. [sudo] password for zbar: Sorry, try again. [sudo] password for zbar: Sorry, try again. sudo: 3 incorrect password attempts Change password: zbar@yoda:~$ passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully zbar@yoda:~$ sudo id [sudo] password for zbar: uid=0(root) gid=0(root) groups=0(root) Regards, - Robert On Tue, Aug 23, 2016 at 6:58 AM, Robert Citek <[email protected]> wrote: > Greetings all, > > On Ubuntu, I would like to have a user set their own password. So on > account creation I would do this: > > passwd --delete ${username} > chage -d 0 ${username} > > Are there any security risks created by running those commands? > > Regards, > - Robert -- -- Central West End Linux Users Group (via Google Groups) Main page: http://www.cwelug.org To post: [email protected] To subscribe: [email protected] To unsubscribe: [email protected] More options: http://groups.google.com/group/cwelug --- You received this message because you are subscribed to the Google Groups "Central West End Linux Users Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
