Password script

Is there a simple way to do a script for password changes? I need to let our help desk folks (for example) change user passwords. Currently, I have set them up with root privileges for doing this. I know this is not a good way, but what are my other choices? I was thinking of a script where (thru the script) the help desk folks would get temporaray root privileges, then change somebody's password, and before exiting out of the script have their own privileges back. Can this be done? If I use the 'su' command, then I have to know the user's password before I can change it. This is not always possible.

Just wondering..... :smiley:

Thanks in advance.
Latha Nair

Hi there, this is possible, if you create your script you then need to set a sid or sticky bit on the script, this will then give the script temporary root privilages on the system, this can be achieved using chmod +s

Hope that helps

I am a new user, and I do not know how to use what you have explained. I read thru some of the emails in this area, and most everybody advises to use 'expect'. I am checking into that possibility. If you can explain a bit more about your advice, that would be very helpful.

Thank you.
Latha

Someone please correct me if I am wrong, but I think the way to use this is:

chmod +s <file in question>

New users shouldnt be writing scripts to allow other users to change passwords,, a helpdesk person could change roots pass and ruin the system,,, but if you must, then id say give them sudo access to the passwd command

I wouldn't give them access to the actual passwd program. It would be better to give them access to a wrapper that checks to ensure that they can only change passwords for users, for example.

passwdwrap.sh (used as passwdwrap.sh <user>)

#!/bin/ksh

# some lame metacode....

SET TRAPS FOR EXIT CONDITIONS

if [ $1 == "root" ]
then
     logger -p local1.error -t PASSWDWRAP "ERROR: unauthrorized root change attempted"
     exit 1;
else
     passwd $1
fi

I would be more likely to write such a tool in C to prevent modification etc. I'm sure there are better examples out there, but I hope this gives you something to think about. Not sacrificing security for ease should always be foremost in your thoughts.

Cheers,
Keith

added code tags for readability --oombera

Thanks for all who answered.

The whole point of this script is that none of us are very good with UNIX here. I am entrusted with a system that I am trying to learn. I know how to change user passwords thru smit. In order for the help desk folks to change user passwords thru smit, I had to give them root equivalent privileges. That is what I am trying to change by having a script thru which they can have root privileges TEMPORARILY so that they can accomplish the follwoing:

1) Have their regular access to execute the script
2) The script could provide them with root privileges
3) Then change the user's password
4) After the password is changed, the script will set the help
desk folk's privilege back.
5) Exit out of the script.

When they exit, they would have their original privilege set again. This is what I am trying to accomplish. Is this possible? If I was not clear earlier, I am sorry.

We have an AIX/UNIX system.

Thank you.
Latha Nair

If you are using AIX, you really don't need a script. You can grant limited user access to smit for specified operations and keep them from resetting root's password. Just dig a little more into smit.

Cheers,
Keith

I was going thru the 'security and users' portion of smit, and set a particular user's role to 'manage all users' and 'manage all user passwords'. This does not seem to help.

Thanks,