PIM: Change password without being prompted for current password on linux

Document ID : KB000106234
Last Modified Date : 13/07/2018
Show Technical Document Details
Introduction:
The passwd command prompts user, except root, for current password.

For example:
 
[user01@server ~]$ passwd 
Changing password for user user01. 
Changing password for user01. 
(current) UNIX password:
Is it possible to use the Privileged Identity Manager (PIM) agent to change this behaviour?
 
Instructions:
The passwd command will prompt all users except root for their current password. This is by design and has nothing to do with PIM. 

PIM can be used to get around this. The following example is a demonstration of how to do this.

The following SUDO rule allows users authorized to do so to change their password, and only their password, without being prompted for their current password: 
editres SUDO ('changepassword') audit(FAILURE) data('/bin/passwd;$U $e;$O')

Each user you want to allow to change their password like this needs to be authorized to do so. It is probably easier to create a group, authorize the group and then join the users to the group:
ng ("changepassword") 
auth sudo ('changepassword') gid("changepassword") 
join ("testuser") group("changepassword")

We also need to authorize the changepassword group to be able to execute sesudo:
auth PROGRAM ('/opt/CA/AccessControl/bin/sesudo') gid(changepassword)

Users can now change their password using the following where <USERNAME> is their username:
sesudo changepassword <USERNAME>

This is not overly user friendly. We can make it more user friendly by creating a script /usr/local/bin/changepassword with the following contents:
sesudo changepassword $(sewhoami)

We then need to authorize only members of the changepassword group to use this script using the following rules:
nr program ("/usr/local/bin/changepassword") defacc(none) owner(nobody) 
auth program ("/usr/local/bin/changepassword") access(x) gid(changepassword)

Now, users in the group changepassword, and only users in this group, can change their password, and only their password, without being prompted for the current password by executing:
changepassword