Written by J. Moellenkamp
on 
Reading time: 1 minute
Cycling   Sport   Safety

Changing passwords as a role

Of course the privilege to change other peoples password can be encapsulated into a role, so you have an additional authentication by using the role password before you get such powerful privileges.

root@solaris:/etc# roleadd -A solaris.passwd.nocheck,solaris.passwd.assign pwchanger 
root@solaris:/etc# passwd pwchanger
New Password: n1mn1mn1m
Re-enter new Password: n1mn1mn1m
passwd: password successfully changed for pwchanger
root@solaris:~# mkdir /export/home/pwchanger
root@solaris:~# chown -R pwchanger /export/home/pwchanger
root@solaris:~# chmod -R 700 /export/home/pwchanger

Now we can assign this role to a user, for example to the user guru

root@solaris:~# usermod -R pwchanger guru

Now let’s try to change the password of the user root. As you would expect, the user guru has an assigned role of pwchanger as we just assigned it.

guru@solaris:~$ roles
pwchanger
guru@solaris:~$ passwd root
Permission denied

You have to change into the role first using the role password, which isn’t user userpassword except you configure it this way.

guru@solaris:~$ su - pwchanger
Password: n1mn1mn1m
-bash-5.0$ passwd root
New Password: 
Re-enter new Password: 
passwd: password successfully changed for root
-bash-5.0$ exit

When you are leaving the role, you are losing the privilege of the role, im this case the privilege to change passwords.

guru@solaris:~$ passwd root
Permission denied
guru@solaris:~$

The whole process is put into the audit log:

header,97,2,role login,,solaris,2021-04-10 16:03:34.065+00:00,subject,guru,pwchanger,staff,pwchanger,staff,5996,1615101428,151 3 10.0.2.2,return,success,0
header,134,2,passwd,,solaris,2021-04-10 16:03:47.935+00:00,subject,guru,root,sys,pwchanger,staff,6004,1615101428,151 3 10.0.2.2,user,0,root,use of authorization,solaris.passwd.assign,return,success,0
header,167,2,privileged execution,,solaris,2021-04-10 16:03:47.935+00:00,path,/usr/bin/passwd,path,/export/home/pwchanger,exec_args,2,passwd,root,use of privilege,successful use of priv,ALL,subject,guru,root,sys,pwchanger,staff,6004,1615101428,151 3 10.0.2.2,return,success,0
header,97,2,role logout,,solaris,2021-04-10 16:04:50.251+00:00,subject,guru,pwchanger,staff,pwchanger,staff,5996,1615101428,151 3 10.0.2.2,return,success,0