CentOS 5 :: Prevent Users From Changing Their Own Password?
Feb 4, 2010
How can I prevent users from changing their own password? I was surprisingly unsuccessfull in finding a solution for this on google. Lots of stuff about hardening ssh access or dealing with password aging using "chage" but nowhere could I find an answer for my question.
so we need to remove the suid for that command as follows :- chmod u-s /usr/bin/passwd now normal users won't be able to change their own passwords - and only the root user will be able to do it for them.
I use the following method for preventing the users from changing their passwords , is there any other method other than this ?ls -l /usr/bin/passwd-rwsr-xr-x 1 root root 37140 2010-01-26 12:09 /usr/bin/passwdso we need to remove the suid for that command as follows :- chmod u-s /usr/bin/passwdnow normal users won't be able to change their own passwords - and only the root user will be able to do it for them.
I am administrating a system with about 40 or 50 users, and we recently jumped ship from windows to ubuntu. Most of my users are getting along fine, but it seems every few days, i have to help someone who accidentally changed something, and now their account (or more rarely, the machine) is unusable, and has to be reset.
I know configuring /etc/sudoers is a huge step toward fixing my problem, but that still will not completely solve it. What I would like to do is prevent users from making ANY changes to the system (aside from their work files and the like), including themes, icons, desktop, background, etc.
but the user could tamper with the histfile itself. Like: rm -f $HISTFILE; rm -f $HISTFILE; mkdir $HISTFILE; rm -f $HISTFILE; ln -s /dev/null $HISTFILE;
I'm experimenting with PROMPT_COMMAND to execute a command each time the user executes a command and so log it somewhere else.This post was pruned from the 2009 Is there a way to prevent users from changing or unset their HISTFILE variable? thread. Please do not resurrect old threads but instead create your own (and maybe provide a link to the old one).
I am on ubuntu server and its joined to an W3k Domain thru winbind/samba. However everything works fine and Windows and Local users can login to the machine without any problem. However when I wanted to create a local user X and change his password I couldn'tIt created the local user X but I could not change the password. Here are the outputs:
I am using Mandriva 2010.2 KDE. When I try to change my password, using the Welcome>About Me>Change Password, I am asked to type in my current password, after I press OK, the dialogue box just seems to hang, nothing happens, the computer does not freeze, just the password dialogue box kind of stops responding.
I am on ubuntu server and its joined to an W3k Domain thru winbind/samba. However everything works fine and Windows and Local users can login to the machine without any problem. However when I wanted to create a local user X and change his password I couldn't. It created the local user X but I could not change the password.
I want the users to access servers via ssh public key only. By default they don't know their initial password and do need to change that when performing administrative tasks.For changing their passwords without knowing the old they need to switch to root for this special case.The only case it seems I don't have control is that users can not only change their password but also the password of other peoples. Does someone sees a solution (without apparmor/selinux and special /usr/bin/passwd.sh) to restrict users to only change their password?I miss the feature of using environment variables in sudoers file.
My problem is that I cant "rewrite" older password to new. It looks like I do:
Changing password for user johny. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
all looks OK but after set up new password I can log in using OLD and NEW password. It's very unsecure for me. So in fact I cant change password and it looks like centos create next password to one accout and one account have more then one password... how can I prevent it? pls help me couse its very unsecure in my case.user looks in file shadow /etc/shadow like this:
Sometimes when starting applications, especially with Wine, the screen resizes to a much lower resolution. Sometimes when I close the application & usually when it crashes/I have to kill it, the screen stays at that much lower resolution. To get my normal 1900*1200 resolution back I have to delete all the applets I've put in the top menu bar to for there to be enough space for the menu to appear for me to select System>Prefs>Monitors.How can I prevent an application from altering my resolution & just force it to run windowed, or at a higher resolution?
Running Centos 5.5 64bit. Sometimes I boot this instalation in real machine, sometimas using vmware workstation. The problem is that these environments have different network interface cards - as soon as kudzu detects that network device changed it renames ifcfg-eth0 to ifcfg-eth0.bak and places new default ifcfg-eth0.
Is it possible to command kudzu to leave ifcfg-eth0 as it is ?
i would like to prevent all users other than the user "parker" on my system from using the su or sudo commands. I have not attempted to modify the sudoers file so it just contains the standard root ALL = (ALL) ALL.
If there is a simple way to prevent accidental shutdown when the following situation occurs:
Sometimes, I log in on my father's computer to run some administrations' tasks (updates...). For that, I use SSH since I'm frequently far from my parents and what I want is to prevent a shutdown run by my father. Of course, he should be able to turn off by himself if nobody else is connected.
Molly-Guard allows to prevent distant shutdown, my request is a kind of complementary software.
Does anyone know a project which could fit with this request? Do you have simple ideas to write a short code I know bash, perl, python...
I want to prevent users changing the wallpaper, as i couldn't found any direct method I thought of preventing the /usr/bin/gnome-appearance-properties being running,
I know that the user also can set the wallpaper without running that . But didn't found any other way .
I tried to use SELinux to it and I'm stuck at writing a own policy.
According to SELinux, it prevents everything ., but as i have mapped the user to a SElinux user ,even though he can use administrative tasks , he can run the appearance window. that means he has got the permission from a different policy , Currently I'm stuck at this place.
Suitable way to prevent the wallpaper being changed by the normal users.
I have a box with multiple users on it and I want everyone to be able to have full access to their home folders, but not be able to see the contents of /home/ or another user's home folder (I.E. bob has full access to /home/bob but cannot access or even see the contents of /home/john)Right now users can see other user's home folders but can't modify what's inside. How do I prevent them from seeing the contents at all?
What is the best way to prevent some user run some command? For example every body can run at and batch command and 3 or 4 special users prevent run these command?
Is it possible to have a user in Ubuntu/Debian that does not have access to synaptic, apt-get, dpkg and cannot even download anything from the Web, but has root privileges otherwise?
I'm looking for a manner to prevent users from changing the desktop background/wallpaper and all other gnome configuration with booth Ubuntu and Kubuntu. This too (Abraxis, some years ago, have same my problem) [URL] do not solve the problem, for example if I change whit chown (*) own and group of this file to root /.gconf/desktop/gnome/background/%gconf.xml, at the next reboot file return in the previous state. (I don't like Pessulus). (*) chown root:root %gconf.xml chmod 644 %gconf.xml At the reboot file change automatically owner to "student", I don't know why?
I have a created a wireless connection from the main admin account and checked the box saying "Available to all users", everything is working correctly. I only need to prevent the Desktop Users from switching the connection to another one.
I have searched far and wide but could not seem to find a way to prevent GDM from hiding the password field. I am the only user of my laptop, to login I first need to click the login name to show the password field and then I can enter the password. I would like to have the password field always visible and have focus.
I have a Windows share on my network and I protected it with a password. I access it with my Ubuntu desktop, and I saved my password the first time I accessed it. The password is saved in Seahorse (the keyring), but each time I try to access my Windows share, I have to type in my keyring password.Despite trying several tutos, I haven't been able to prevent keyring from asking for my keyring password.