5

How can I prevent users from changing their passwords? I still want to be able to change the passwords as root if necessary but keep the user from changing their password.

Vreality
  • 194
  • 1
  • 12
  • [This question](http://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login) may be useful – jackcogdill Feb 06 '13 at 00:55
  • Chmod the passwd command so that only you can execute it – Mawg says reinstate Monica Feb 06 '13 at 01:24
  • Why would you want to lower user security? – mdpc Feb 06 '13 at 02:40
  • @mdpc I don't. I plan on changing the password periodically, but I need it to be changed by me because it is a shared account and I don't want someone to change the password without the other people who have access being notified. – Vreality Feb 10 '13 at 01:17

2 Answers2

7

Do chmod go-rx /usr/bin/passwd Normal users can then not run passwd. If you want some users to be able to, you can put them in a special group perhaps.

MarJamRob
  • 194
  • 1
  • 7
  • Would this still work? `cp /usr/bin/passwd . ; chmod +x ./passwd ; ./passwd` – f.ardelian Jul 16 '13 at 16:00
  • 2
    @f.ardelian The thing is, `passwd` has some special magic called "setuid" on it - that means that when someone runs the file, they're running it as its owner (namely, root.) This allows normal users to change the `/etc/shadow` file containing the passwords. If you were to copy the file to a user's home directory, it would no longer be setuid, and therefore no longer be automatically run with root priviledges. To learn more, look up information about "Unix permissions" and "setuid". – JamesTheAwesomeDude Dec 07 '13 at 22:03
  • 1
    @JamesTheAwesomeDude Thanks, that was very informative! – f.ardelian Dec 08 '13 at 04:53
4

passwd -n 9999 user will prevent user from changing his password for almost 274 years.

If you want to have passwordless user, which is unable to change his password, open /etc/shadow as root, find the line which begins with the name of the user, and change the content between first and second colon to U6aMy0wojraho.
(source: https://help.ubuntu.com/community/PasswordlessGuestAccount)

GingerPlusPlus
  • 265
  • 2
  • 10