Changing passwords - re-revisited

There was an interesting question on Twitter after i published my blog entry about assigning the authorization to change passwords to regular users: “Can you change the root password with it?”

The answer is: Yes, you can.

junior@solaris:~$ passwd root
New Password: 
Re-enter new Password: 
passwd: password successfully changed for root

However you don’t get nescessarily root access with it.

junior@solaris:~$ su - root
Password: 
Roles can only be assumed by authorized users
su: Permission denied

That said, this isn’t a perfect protection, as this user could obviously change the password of a user authorized to use the rule of Solaris. However that user will lose access to his or her account, as you obviously don’t know his password and just can set it to something new.

However there are two important points to keep in mind.

• You never would give this privilege to someone you don’t trust sufficiently.
• You can block this by using a second factor of authentication, so the changed root password is actually not useful as the user is still not in the possesion of the second factor. In the next few days i will write an additional blog entry about encapsulating this privilege.