New User to Reset Passwords

MrGrim · May 2, 2011, 8:18am

Hi,

Apologies for my first post being a question. Long time reader, first time registered.

I'm trying to create a new user in Solaris who can reset passwords of other users. It will be held by IT, and I'm not too bothered about it having similar priveledges to root as i'm just using it so i can track a different resource team within our IT team.

I've created the new user: itpasswd

/etc/passwd

itpasswd:x:334:1:Super-User:/export/home/itpasswd:/bin/ksh
root:x:0:1:Super-User:/:/usr/bin/ksh

/etc/group

# more group
root::0:root
other::1:

When I try to change a users password with the new login, I get the permission denied error.

I know this may be something obvious. Any help would be appreciated. I thought as long as it was in the same group as root it should be ok.

jim_mcnamara · May 2, 2011, 11:15am

This is a terrible idea security-wise. You are basically giving that user the whole system, which will never pass any security audit.

What version of Solaris do you have? There are better ways to do this.

jlliagre · May 2, 2011, 11:41am

This is a wrong assumption.

You are creating a non privileged account (uid != 0) with a generic non privileged group (gid=other=1). The only "Super-User" attribute is the gecos but that field is nothing more than a comment. It's no surprise that user cannot change anyone's password outside its own.

MrGrim · May 2, 2011, 3:46pm

Hi Jim,

Thanks for the reply. The user only needs to reset other users passwords. It does not require any other priviledges. This is Solaris 9.