Changing user password without root password

[Richard Siggins]

I would like to implement a system where an operator can change
another users password without having to enter the user's current
password or the root password. I have a couple of ways to execute the
passwd command as root. The problem is that even when logged in as
root AIX wants you to enter the root password before changing the
users password. This is not the case on other flavors of UNIX.
Anyone know of a way around this?

Richard Siggins
rsig...@usit.net or rsig...@eastman.com

[Scott Tompkins]

I believe if ops is in group security they can execute pwdadm.

Richard Siggins <rsig...@usit.net> wrote in article
<5mlae7$qcb$1...@news.usit.net>...

[Richard Siggins]

Yes, they can execute pwdadm if they are in the security group. The
problem is that pwdadm also requires the root password to change someone
else's passwd.

#pwdadm usera
Changing password for "usera"
root's Password:

This is where I get stuck.
--
Richard Siggins
Eastman Chemical Co.
rsig...@eastman.com

Scott Tompkins <stom...@icon.co.za> wrote in article
<01bc6cde$33515900$04d61ac4@ios-scottt>...

[agr...@dork.seas.ucla.edu]

Richard Siggins (rsig...@eastman.com) wrote:
> Yes, they can execute pwdadm if they are in the security group. The
> problem is that pwdadm also requires the root password to change someone
> else's passwd.

> #pwdadm usera
> Changing password for "usera"
> root's Password:

> This is where I get stuck.
> --

It appears (if the # sign can be assumed to be a root-prompt here) that you're
using pwdadm as root. If a non-root user is a member of group=security,
pwdadm will require THEIR password to change another user's.
I don't think it matters whether its your primary or secondary group.

IE:

$ id
uid=100(af) gid=1(staff) groups=7(security)
$ pwdadm joeuser
Changing password for "joeuser"
af's Password:
$

You might be able to make a simple modification to a package like
sudo to only add group=security, and access to that particular command.

Adding users to the security group is opening a pandora's box.

Andrew
a...@c4c.com

[Richard Siggins]

rsig...@usit.net (Richard Siggins) wrote:

>I would like to implement a system where an operator can change
>another users password without having to enter the user's current
>password or the root password. I have a couple of ways to execute the
>passwd command as root. The problem is that even when logged in as
>root AIX wants you to enter the root password before changing the
>users password. This is not the case on other flavors of UNIX.
>Anyone know of a way around this?

>Richard Siggins
>rsig...@usit.net or rsig...@eastman.com

Thanks to everyone who sent in suggestions. The solution to the
problem is to assign the operator to the AIX Security group. They can
then use the pwdadm command to change another user's password. As
long as the account being changed is not marked as an administrator
account the operator will be able to change the password. This
prevents the operator from changing the password on the root or other
priviledged accounts.

[dbee...@ilstu.edu.maybe]

Richard Siggins <rsig...@usit.net> wrote:
: I would like to implement a system where an operator can change
: another users password without having to enter the user's current
: password or the root password. I have a couple of ways to execute the
: passwd command as root. The problem is that even when logged in as
: root AIX wants you to enter the root password before changing the
: users password. This is not the case on other flavors of UNIX.
: Anyone know of a way around this?

Anyone in the security group can execute pwdadm. Otherwise:

acledit pwdadm and enable, permit r-x u:userid

This allows finer control over the access to pwdadm. Folks in the
security group can, for example, edit /etc/passwd and have access to
/etc/security and files in /etc/security.

TTFN
--
Dave Beedle - Unix Support Manager - dbe...@ilstu.edu - Network Services
| http://www.ilstu.edu/~dbeedle/ | Illinois State University
"Ignorance is bliss. Then you get run over by a bus 136A Julian Hall
because you never bothered to learn how to cross the road" Normal, IL 61761

[Mike Shelley]

Richard Siggins <rsig...@usit.net> wrote in article
<5mlae7$qcb$1...@news.usit.net>...

> I would like to implement a system where an operator can change
> another users password without having to enter the user's current
> password or the root password. I have a couple of ways to execute the
> passwd command as root. The problem is that even when logged in as
> root AIX wants you to enter the root password before changing the
> users password. This is not the case on other flavors of UNIX.
> Anyone know of a way around this?
>

> Richard Siggins
> rsig...@usit.net or rsig...@eastman.com
>

Easiest solution is to write a utility in 'C', compile it to an executable,
and have the setuid bit set on it...

[Carsten Schabacker]

"Mike Shelley" <mshe...@pdq.net> writes:

> > I would like to implement a system where an operator can change
> > another users password without having to enter the user's current
> > password or the root password. I have a couple of ways to execute the
>

> Easiest solution is to write a utility in 'C', compile it to an executable,
> and have the setuid bit set on it...
>

Or use sudo.

cs.
--
GiS - Gesellschaft fuer integrierte Systemplanung mbH
Carsten Schabacker Tel. +49-6201-503-38
Junkersstr. 2 Fax +49-6201-503-66
D-69469 Weinheim c.scha...@gis.ibfs.de
priv: csc...@spock.rhein-neckar.de

[Mike Shelley]

Might work on AIX, but is not portable across other platforms... Of course
the only real SysAdmin tool is 'vi'... ;-)

> >Richard Siggins
> >rsig...@usit.net or rsig...@eastman.com
>

[Ken Beer]

Thanks, that's great if you want a non-root user to change
passwds, but what if you want root to change passwds inside
a script?

New users here get a default passwd, I want to run a script
that will determine the passwd and run yppasswd - can I
disable yppasswd asking for root's passwd? I can use
expect, but I don't want to embed the root passwd into
a script!

|< E /\/