1. Home
  2. Linux systems
  3. Linux security

Recipe 5.12 Authorizing Password Changes via sudo

5.12.1 Problem

You want to permit a user to change the passwords of certain other users.

5.12.2 Solution

To permit smith to change the passwords of jones, chu, and agarwal:

/etc/sudoers:
smith  ALL = NOPASSWD: \
        /usr/bin/passwd jones, \
        /usr/bin/passwd chu, \
        /usr/bin/passwd agarwal

The NOPASSWD tag is optional, for convenience. [Recipe 5.4]

5.12.3 Discussion

As another example, permit a professor to change passwords for her students, whose logins are student00, student01, student02,...up to student99.

/etc/sudoers:
prof  ALL = NOPASSWD: /usr/bin/passwd student[0-9][0-9]

Note that this uses shell-style wildcard expansion; see sudoers(5) for the full syntax.

5.12.4 See Also

sudo(8), sudoers(5).



    		Preface
    		Chapter 1. System Snapshots with Tripwire
    		Chapter 2. Firewalls with iptables and ipchains
    		Chapter 3. Network Access Control
    		Chapter 4. Authentication Techniques and Infrastructures
    		Chapter 5. Authorization Controls
    		Recipe 5.1 Running a root Login Shell
    		Recipe 5.2 Running X Programs as root
    		Recipe 5.3 Running Commands as Another User via sudo
    		Recipe 5.4 Bypassing Password Authentication in sudo
    		Recipe 5.5 Forcing Password Authentication in sudo
    		Recipe 5.6 Authorizing per Host in sudo
    		Recipe 5.7 Granting Privileges to a Group via sudo
    		Recipe 5.8 Running Any Program in a Directory via sudo
    		Recipe 5.9 Prohibiting Command Arguments with sudo
    		Recipe 5.10 Sharing Files Using Groups
    		Recipe 5.11 Permitting Read-Only Access to a Shared File via sudo
    		Recipe 5.12 Authorizing Password Changes via sudo
    		Recipe 5.13 Starting/Stopping Daemons via sudo
    		Recipe 5.14 Restricting root's Abilities via sudo
    		Recipe 5.15 Killing Processes via sudo
    		Recipe 5.16 Listing sudo Invocations
    		Recipe 5.17 Logging sudo Remotely
    		Recipe 5.18 Sharing root Privileges via SSH
    		Recipe 5.19 Running root Commands via SSH
    		Recipe 5.20 Sharing root Privileges via Kerberos su
    		Chapter 6. Protecting Outgoing Network Connections
    		Chapter 7. Protecting Files
    		Chapter 8. Protecting Email
    		Chapter 9. Testing and Monitoring
    		Colophon