Configure SESUDO for enabling root password change on Solaris.

Document ID : KB000052263
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document only applies to Solaris, the behavior of SESUDO when configured to change the root password is different from that on the other UNIX operating systems (AIX, HP, Linux).

Solution:

In the description of 'sesudo' we specify that it is possible to run the command for another user ID and that's it.

And in the description of system 'passwd' utility; the passwd command changes the password or lists password attributes associated with the user's login name. Additionally, privileged users can use 'passwd' to install or change passwords and attributes associated with any login name.

So, to solve the problem you need to change SUDO rule. The command should be like.

nr SUDO chpass comment('/usr/bin/passwd root')

In this case when a user runs the command 'sesudo chpass' at the end after checking permissions, it will run command '/usr/bin/passwd root' under super user UID/GID and you will be able to change password for the specified user, i.e.'root'.

Why doesn't 'sesudo' work properly while changing password for root user (Exclusively for Solaris)? After checking all data we change our identity to root/root and fork process to execute '/usr/bin/passwd' for it. Unfortunately /usr/bin/passwd does not use UID, RUID, EUID and of course in the same way it does not care about GID, RGID, EGID.

It takes the login name from /var/adm/utmpx and after that gets the UID/GID for this name and performs the password change for it.