APPOLOGIES FOR NOT RESPONDING SOONER........
THANKS TO ALL OF YOU THAT RESPONDED, GREAT HELP
I ended up testing and implementing "sudo". It works well,
I has allowed me to setup a script/menu system for the helpdesk
and get them to do the "hack" work or resetting passwords. I have
also implemented a system to expire passwords under C2 using
permissions gained under "sudo". One good feature is its logging
of allowed and denied accesses.
Once again thanks to all of you.
Regards,
Craig Makin
System Administrator
Ferntree Computer Corp.
Perth, Australia
PS. Thanks to Kent Arnott for reminding me to post this summary
COMPLETE LIST OF REPLIES FOLLOWS:
From: rosenblg _at_ nyu.edu
we wrote exactly that thing; let me know if you want it - it's not great,
it works by allowing users in a specified group to reset passwords.
however it works for us, and it works with C2-level security.
gary
From: yakoshi _at_ osa.dec.com ("Akihito 'ycos' Yakoshi")
Hi Craig,
Do you want run a shell-script with stikey?
then try use wrappiner program.
main()
{
setuid(0);
system( "YOUR SCRIPT HERE" );
}
* SCRIPT name FULL-PATH only! for security.
and use this wrapper.
+----------------------------------------------------------------------+
| Akihito Yakoshi | Digital Equipment Co. Japan |
| EMail to: yakoshi_at_osa.dec.com | PSC/SI WJ4 Ext. 8+682-9400 |
| or yakoshi_at_osa.dec-j.co.jp | KTOSWS::YAKOSHI(EASYnet,VAXmail) |
+----------------------------------------------------------------------+
From: smadden _at_ csu.EDU.AU ("Steve Madden (Unix Systems Programmer)")
Hi Craig,
Yes I have an operator menu that activates when operator logs in.
One of the options is change password, upon selecting that they are
prompted for a username, then for a change password password (so they can
leave the menu up all day and not worry about abuse at lunch or whatever)
so an admin passwd must be supplied for each change. Then I check the
group of the user they are trying to change, they are only allowed to
change gid 7000 and the whole occurance is logged in /var/adm. It is
secure, captures all sigs, and logs them out if they try anything tricky.
Sounds good doesn't it? Well this is how I did it...
1) I wrote the menu program in Perl, which resides in their home directory.
2) The menu option that calls for a password change, gets the user
information, checks the validity (they are allowed), and calls a
passwd.pl program - also written in perl.
3) The passwd.pl program first takes in the username parameter and then
asks for the supervisor password.
4) If the given password is correct and a valid userid is passed, the script
(This part is cute) writes its own little (5 line) c program to force the
execution of passwd as root for that user only.
5) Then it compiles it, runs it and removes it.
6) The user only sees enter username, and if valid enter new password and
verify new password and then returns to the menu.
7) It sounds slow, but its actually so fast no-one believed thats how I was
doing it.
Scripts and Code to those genuinely impressed and willing to leave my
name intact in the scripts.
Steve..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steve Madden Phone: 61 (069) 332823
Unix Systems Programmer Email: smadden_at_csu.edu.au
Charles Sturt University - Australia
Riverina Campus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"The BEST way to accelerate a Mac is at 9.8 metres/sec (/sec)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: haymanr _at_ icefog.sois.alaska.edu ("Randy M. Hayman")
I've got some code to do just this sort of thing, but
the change-password utility (user_cpw) among others
comes as part of an account maintenance package.
If you're interested, you can get the source, docs, and
setld installable package via anonymous ftp or point your
browser at:
ftp://raven.alaska.edu/pub/randy/zuausr/zuausr-1.08a.tar.gz
Randy M. Hayman
haymanr_at_icefog.alaska.edu
From: henckens _at_ luc.ac.be (Andres Henckens)
I haven't tried it out on a DU system, but SUDO is a program to give
partial root access to users. You have to define what program a user
should have access to in it's conf file and..tadaa.. I don't know if it
will work together with DU/C2. Maybe worth a shot ?
Greetz,
Andres
Algemene Informatica Service 'Nostalgie schenkt ons dromen
Limburgs Universitair Centrum wetend dat je nooit alleen
============================= je gedachten hoeft te behouden'
phone : +32-11-268130
+32-11-268131
fax : +32-11-268199
From: nicolis _at_ chiral.phys.univ-tours.fr (Stam Nicolis)
Hi,
normally (i.e. under non-C2 conditions) sudo wiould do the trick--I don't
know whether C2 has some extra stuff that need to be tweaked to make this
possible at all (under sudo at least).
Hope this helps :)
Stam
From: kjell.andresen _at_ usit.uio.no (Kjell Andresen)
Is sudo what you look for?
Kjell Andresen Systems administrator, University of Oslo, Norway
Center for Information Technology Services and
Department of Geophysics
From: vanhelde _at_ odo.msoe.edu (Phil VanHelden)
A small C program that runs setuid root should do it. It would ask
for the name of the user, and then fork a process, exec'ing passwd.
If you want a specific implementation example, let me know.
\|/
#######
/ ~ ~ \
(| 0 0 |)
================================/ \================================
_|____ (___) ____|_
(____(_) Phil VanHelden (_)____)
(______(_) System Administrator MSOE Comp. & Comm. Services (_)______)
(_____(_) (414) 277-7286 1025 N. Broadway (_)_____)
(___(_) vanhelde_at_msoe.edu Milwaukee WI 53202 (_)___)
| "'Good enough' is my least favorite phrase." - Tom Scholz |
===================================================================
From: xxfdh _at_ omega.uta.edu ("Mr. Dustin Fu")
Graig,
There is a program call 'sudo' (from University of Colorado) you may find
that helpful.
ftp://boulder.colorado.edu/pub/mnt/source/doc/sa-book/sudo.
Dustin Fu
Software Systems Specialist
Academic Computing Services
University of Texas at Arlington
xxfdh_at_omega.uta.edu
817-272-2208
From: de5 _at_ sws5.ctd.ornl.gov (Dave Sill)
1) Sticky bit <> setuid bit.
2) Setuid scripts, even if they work, are a *very* bad idea.
3) You probably want a setuid wrapper written in C to call the
script.
-Dave
From: webster _at_ i5142311.mdc.com (Tom Webster)
Craig,
Speaking as someone who hasn't actually done it: Try sudo. Sudo is a package
that lets you deligate root authority for selected commands to selected users.
Which commands individual users are allowed to run as root are configured via
a text tile. The user has to enter their own password before the command is
run as root, to verify their identity. In your case the command would look
something like:
sudo passwd joeluser
Sudo is available on most of the security sites. I know it works with DU
with the 'BASE' security set. I don't remember if everything that is needed
to make it work with DU and C2 is 'in the box' of if you need a patch. If
it doesn't work, this mailing list would be where to find out. (If you
do find that you need a seperate patch to ame it work, please send me an
e-mail -- or post a pointer to the patch in your summary. I will be migrating
some if not all of our DU boxes to C2 in the near future.)
Hope this helps,
Tom
--
+--------------------------------+------------------------------+
| Tom Webster | "Funny, I've never seen it |
| webster_at_kaiwan.com (home) | do THAT before...." |
| webster_at_ssdgwy.mdc.com (work) | - Any user support person |
+--------------------------------+------------------------------+
| finger -l webster_at_kaiwan.com to get my PGP Public Key. |
+---------------------------------------------------------------+
From: abs _at_ osfulsa.ulsa.mx ("Alejandro Arturo Barrera Sanchez(ZOR)")
I have never worked with C2 but have you tried installing sudo.
Sudo lets you execute programs with real root privilegs, i know that it a
security hole, but maybe you can try.
Alejandro A. Barrera Sanchez(ZOR) abs_at_osfulsa.ulsa.mx
Universidad La Salle abs_at_hpuxulsa.ulsa.mx
Cibernetica X11
Tel�¬fono: 389-4599
SistAcad:728-0500 ext.2069
From: trevor.stott _at_ sheridanc.on.ca (Trevor Stott)
You could write a program (expect is a good choice) to trap certain
usernames then calls passwd. Once that is done you could compile sudo and
use "sudo program-name". I'm sorry I can't remember where I got sudo
originally but it works great!
Trevor.
------------------------------------------------------------------------------
Trevor Stott Trevor.Stott_at_sheridanc.on.ca
Information Technology
Sheridan College Phone: (905) 845-9430 ext. 2148
Oakville, Ontario Fax: (905) 815-4011
------------------------------------------------------------------------------
From: win _at_ tukan.ffb.eunet.de (Winfried Huber)
Hi Craig,
the reason why your attempt to change other users passwords via a
setuid-script is that for security reasons the setuid-bit for shell
scripts is ignored.
Two ways out of the jungle:
1. Write and compile a wrapper program with the setuid bit set that
calls passwd. You can make sure only your helpdesk operators run
this program simply by checking their uid from within the wrapper
or make it executable for members of their group only.
2. perhaps the better way: get sudo.
This is program that allows you to maintain a (easy managable) data
base that allows you to give some privileges to specific users. All
you have to do is install sudo and edit the file /etc/sudoers.
You can get sudo from
ftp://ftp.cs.colorado.edu/pub/sysadmin/utilities/cu-sudo.v1.4.tar.Z
it's free.
hope this helps,
Winfried
--
Winfried Huber, Softwarehaus Huber & Boehm, voice: +49 8142 13038
Illerweg 6, D-82140 Olching, Germany fax: +49 8142 18612
win_at_tukan.ffb.eunet.de == win_at_tukan.m.isar.de
Received on Fri Aug 30 1996 - 11:54:22 NZST