Look for the "rootpw", "targetpw" or "runaspw" option in the Sudoers file. These would force it to ask for root's password instead of the issuing user's password. While not the program default, many distributions come with one of these set.
Also, your guard against the use of the passwd command will not work, as the user could just do "sudo bash" to give themselves a root shell, and execute the passwd command from there. It is very difficult to restrict what a user will do once you've opened the flood gates. The only real way is to restrict the user to specific, known, needed commands. Even then, you can let something slip through that would allow them to run a command within the program you've allowed (such as vi), that would give them a shell, and thus access to everything. -- Robert P. Nix Mayo Foundation RO-OC-1-13 200 First Street SW 507-284-0844 Rochester, MN 55905 ----- "In theory, theory and practice are the same, but in practice, theory and practice are different." -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of LJ Mace Sent: Friday, May 26, 2006 1:22 PM To: [email protected] Subject: Re: Help with the sudoer file Mark, Thank you for the quick reply. I tried it again with the operators password and I got "sorry try again" and when I entered the root password it took off. What am I goofing up?? thanks Mace "Post, Mark K" <[EMAIL PROTECTED]> wrote: The password that sudo requests is the password of the user issuing the sudo command. So, if Oper01 issues the sudo command, it will be prompted for the Oper01 password. You can use the nopasswd option on any sudoers entry, but it's not really recommended. Mark Post -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of LJ Mace Sent: Friday, May 26, 2006 1:59 PM To: [email protected] Subject: Re: Help with the sudoer file Thank you that worked great. Now I have 1 more question. After I enter the command it asks for the password, I have to reply with the root password. Besides not authenticating(which I guess would be NOT having to enter a password) is there anyother way to do this?? thanks Mace ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 --------------------------------- Feel free to call! Free PC-to-PC calls. Low rates on PC-to-Phone. Get Yahoo! Messenger with Voice ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
