I feel obliged to point out that this blog post is roughly 4 years and 11 months old. People change, opinions evolve. In just a few years, vast technological landscapes can shift. And don't get me started on config files. Please consider this text in the context of its time.
There was an interesting question on Twitter after I published my blog entry about assigning the authorization to change passwords to regular users: “Can you change the root password with it?”
The answer is: Yes, you can.
junior@solaris:~$ passwd root
New Password:
Re-enter new Password:
passwd: password successfully changed for root
However you don’t necessarily get root access with it.
junior@solaris:~$ su - root
Password:
Roles can only be assumed by authorized users
su: Permission denied
That said, this isn’t a perfect protection, as this user could obviously change the password of a user authorized to use the role of Solaris. However that user will lose access to his or her account, as you obviously don’t know the password and can just set it to something new.
- You would never give this privilege to someone you don’t trust sufficiently.
- You can block this by using a second factor of authentication, so the changed root password is actually not useful as the user is still not in possession of the second factor.
In the next few days I will write an additional blog entry about encapsulating this privilege.
