When managing multi-user Linux systems, a common administrative dilemma arises: how to grant sudo privileges while protecting critical authentication pathways. The root account serves as the ultimate fallback for system maintenance, particularly when sudo configurations become corrupted or when performing emergency recovery operations.
Sudo users with full privileges can typically execute:
sudo passwd rootOr even more dangerously:
sudo su -
passwdWe need to implement layered controls to prevent these while maintaining legitimate administrative workflows.
The most elegant approach modifies the /etc/sudoers file (always use visudo for editing):
# Allow all sudo commands EXCEPT password changes
%admin ALL=(ALL) ALL, !/usr/bin/passwd, !/usr/bin/passwd rootFor more granular control:
# Allow password changes for regular users only
Cmnd_Alias ALLOWED_PASSWD = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
%developers ALL=(ALL) ALL, !/usr/bin/passwd rootConfigure /etc/pam.d/passwd to add an additional layer:
auth sufficient pam_succeed_if.so uid = 0 quiet
auth required pam_deny.soThis ensures only direct root login (not sudo elevation) can change the root password.
For defense in depth, set immutable attributes:
sudo chattr +i /etc/passwd /etc/shadowRemember to remove (-i) when performing legitimate user management:
sudo chattr -i /etc/passwd /etc/shadow
sudo usermod ...
sudo chattr +i /etc/passwd /etc/shadowCreate custom policies to prevent password modifications:
# SELinux example
module mypasswd 1.0;
require {
type passwd_exec_t;
class file { execute execute_no_trans };
}
deny passwd_exec_t self:file execute;After implementation, test with:
sudo -u testuser sudo passwd rootShould return:
Sorry, user testuser is not allowed to execute '/usr/bin/passwd root' as rootMaintain secure alternatives for when root access is needed:
- SSH authorized_keys for root
- Console access via physical/virtual media
- Single-user mode with boot password protection
When administering a multi-user Linux server, one common security challenge is preventing sudo users from modifying the root password while still allowing them necessary administrative privileges. This creates a critical security boundary where users can perform their tasks without compromising the ultimate administrative control.
The most effective methods involve sudoers file customization and PAM configuration:
# Method 1: Sudoers file restriction
%admin ALL=(ALL) ALL, !/usr/bin/passwd root
# Method 2: PAM configuration modification
auth sufficient pam_rootok.so
auth required pam_deny.so
For comprehensive protection, implement these configurations:
1. Sudoers File Configuration
# Edit the sudoers file safely
sudo visudo
# Add these lines to restrict password changes
Cmnd_Alias DENY_PASSWD = /usr/bin/passwd root, /usr/bin/passwd [rR]oot*
%sudo ALL=(ALL) ALL, !DENY_PASSWD
2. PAM Module Customization
# Edit the PAM configuration
sudo nano /etc/pam.d/passwd
# Modify to include root password protection
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth required pam_deny.so
For additional security, consider setting password expiration for root:
sudo chage -M 99999 root
sudo chage -W 7 root
After implementation, test the configuration with:
# Attempt to change root password as sudo user
sudo -u regularuser sudo passwd root
# Should return:
"Sorry, user regularuser is not allowed to execute '/usr/bin/passwd root' as root"
- Always maintain a secure root password recovery method
- Document these restrictions in your system administration guide
- Consider implementing these changes in your configuration management system
- Regularly audit sudo privileges and PAM configurations
These measures create a balanced approach where users retain necessary sudo privileges while protecting the root account from unauthorized modifications.