RSS feed

Re: Change password as root

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Change password as root

Arthur de Jong wrote:
> On Thu, 2010-05-27 at 19:59 +0100, Mark Olliver wrote:
>> My problem is that currently using libnss_ldap libpam_ldap the passwd
>> program will change passwords of users without prompting for their
>> password. This is needed as we allow not only admins to change
>> passwords. We also allow admins of our customer via a sudo privilege
>> to change passwords of users whom they control via group memberships.
>> We can not be giving out the admin main password for this task nor can
>> we be responsible for resetting passwords of all our client companies.
>> Do you have any other ideas which may help?
> Attached is a patch (against SVN r1135) that implements a rootpwmodpw
> option for nslcd. With this it is possible for root to change another
> user's password without a prompt for the LDAP administrator password.
nslcd(8) should die if nslcd.conf contains rootpwmodpw and file is

> I believe the patch is secure against spoofing because:
>  * the nslcd daemon only accepts password modification using rootpwmodpw
>    if the caller is root [1]
>  * the PAM module only tries to do passwordless password change if the
>    real user id is root
> I would welcome feedback on whether the above assumptions are correct
> and whether they are correctly implemented in the patch. Testing and
> feedback is more than welcome. With enough feedback, this will probably
> land in the next release.
> [1] This relies on information provided by compat/getpeercred.c. That
>     code is very platform dependant and may not work on all platforms.
>     Also, it is not always clear whether the effective or real user id
>     is returned.
> ------------------------------------------------------------------------
> --
> To unsubscribe send an email to
> or see

To unsubscribe send an email to or see