How can I prevent users from changing their passwords? I still want to be able to change the passwords as root if necessary but keep the user from changing their password.
4
- This question may be usefuljackcogdill– jackcogdill2013-02-06 00:55:19 +00:00Commented Feb 6, 2013 at 0:55
- Chmod the passwd command so that only you can execute itMawg– Mawg2013-02-06 01:24:31 +00:00Commented Feb 6, 2013 at 1:24
- Why would you want to lower user security?mdpc– mdpc2013-02-06 02:40:44 +00:00Commented Feb 6, 2013 at 2:40
- @mdpc I don't. I plan on changing the password periodically, but I need it to be changed by me because it is a shared account and I don't want someone to change the password without the other people who have access being notified.Vreality– Vreality2013-02-10 01:17:05 +00:00Commented Feb 10, 2013 at 1:17
Add a comment |
2 Answers
Do chmod go-rx /usr/bin/passwd Normal users can then not run passwd. If you want some users to be able to, you can put them in a special group perhaps.
- Would this still work?
cp /usr/bin/passwd . ; chmod +x ./passwd ; ./passwdf.ardelian– f.ardelian2013-07-16 16:00:22 +00:00Commented Jul 16, 2013 at 16:00 - 2@f.ardelian The thing is,
passwdhas some special magic called "setuid" on it - that means that when someone runs the file, they're running it as its owner (namely, root.) This allows normal users to change the/etc/shadowfile containing the passwords. If you were to copy the file to a user's home directory, it would no longer be setuid, and therefore no longer be automatically run with root priviledges. To learn more, look up information about "Unix permissions" and "setuid".JamesTheAwesomeDude– JamesTheAwesomeDude2013-12-07 22:03:48 +00:00Commented Dec 7, 2013 at 22:03 - 1@JamesTheAwesomeDude Thanks, that was very informative!f.ardelian– f.ardelian2013-12-08 04:53:04 +00:00Commented Dec 8, 2013 at 4:53
passwd -n 9999 user will prevent user from changing his password for almost 274 years.
If you want to have passwordless user, which is unable to change his password, open /etc/shadow as root, find the line which begins with the name of the user, and change the content between first and second colon to U6aMy0wojraho.
(source: https://help.ubuntu.com/community/PasswordlessGuestAccount)
