Reset user's password without root

Question

Is there any way to allow non-root users to change other user's password. Specifically, is there a way to grant help desk employees the ability to do password resets. The help desk already can reset Windows passwords, which is easy to delegate out.

These are on a variety of server types, although most on HP-UX. Unfortunately, the applications that run on the server prevents us from using LDAP, so these servers are independent and users forget their passwords. Often. Requiring a server admin who knows the root password, especially in the middle of the night, is a waste of resources.

If it is possible, does it also prevent the user from changing root, like Windows prevents users from changing admin passwords from non-admin accounts.

score 10 · Answer 1 · answered May 19 '11 at 19:08

10

Look at sudo:

http://www.gratisoft.us/sudo/

answered May 19 '11 at 19:08

dmourati

25,540
2
42
72

score 8 · Answer 2 · answered May 20 '11 at 14:28

8

Add a group called helpdesk and add all heldesk users to it. Then add the following to sudoers file.

%helpdesk ALL=/usr/bin/passwd

Now they can sudo to change passwords but nothing else.

answered May 20 '11 at 14:28

Jim

398
2
9

score 1 · Answer 3 · answered May 20 '11 at 15:17

Given that HP-UX is said to support PAM, I dare to mention the following tentative clean approach to solving this problem here:

use pam_tcb (tcb - the alternative to /etc/shadow), and there'll be users' password files per user -- they can be manipulated without root's rights (in fact, in Owl, passwd isn't setUID root), and you can give the permission to modify the passwords of certain users (and not the other ones, say, "root") to a specific group (by simply modifying the permissions of the shadow files).

But it's not a practical ready solution yet probably, because I don't see a port of pam_tcb to HP-UX.

James · Answer 4 · 2011-05-20T11:51:57.923

-1

Update: Nevermind, passwd is already setuid root. Oops.

You could give the setuid attribute to the passwd program. Just do

sudo chmod u+s `which passwd`

Then make sure only certain users can use it so change the group and restrict permissions:

sudo chgrp password_reset_delegates `which passwd`
sudo chmod 770 `which passwd`

And add your users to that group

sudo adduser frank password_reset_delegates
sudo adduser barbara password_reset_delegates

You may want to make a copy of the passwd program without the setuid so that other users can change their own password.

Alternatively, you could set up sudo and allow sudo access to only the passwd program for the helpdesk users.

edited May 20 '11 at 11:51

answered May 19 '11 at 19:13

James

819
4
10

Using the sudo access method will also create a nice audit trail for review if necessary. You'll be able to see who's doing what for which users. – mcmeel May 19 '11 at 19:20
sudo is the way I would go, but somebody already posted that, and I thought I would present options. – James May 19 '11 at 19:23
Potentially clever idea, except for the fact that `passwd` already runs suid root as it needs to write to the system password databases. – MikeyB May 19 '11 at 20:23
haha, oops, you are right. – James May 19 '11 at 20:24
Consider deleting your answer if its wrong ;). – Bart De Vos May 20 '11 at 15:34

Reset user's password without root

4 Answers4