I have a machine which is used mostly as a mail server:
$ uname -a Linux myhost.com 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec
19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
and I would like users who do not actually log into the machine (but use it to authenticate and get their mail) to be able to change their own passwords. If I put /usr/bin/passwd in /etc/shells (so the passwd command is a valid shell), and change the shell entry for the users as in:
someuser:x:557:557:Some User:/home/someuser:/usr/bin/passwd
then if they ssh to the host, they'll get something like this:
$ ssh myhost.com
someuser@myhost.com's password: <type their current password>
Last login: Wed Sep 25 16:07:35 2013 from some-ip
Changing password for user someuser.
Changing password for someuser.
(current) UNIX password: <type their current password again>
New password: <type their new password>
Retype new password: <type their new password again>
-passwd: all authentication tokens updated successfully.
Connection to myhost.com closed.
that works great… but is it safe? Is their some way to exploit that and break into a real shell?
Thanks.
P.S. In my environment, it is reasonable to assume that the users have ssh already–but if there is an alternative for password changing that is simply "better", I'd like to hear it 🙂
Best Answer
Allowing a well known program (ssh) remote access to a suid program is in principle insecure. passwd sets user id, i.e. elevates permissions. Ssh should be used with caution because it also delegates firewall administration to the remote user (port forwarding etc.). If sshd is your only remote access option, you have only one server, and you insist using this server as a means to change passwords and to serve mail, then limit all options for sshd and mail only and harden the rest of the box by removing everything except the bare services you need: mail and password changing.
passwd's source has been under scrutiny, but do you know the classic login hack that Ken Thompson (creator of unix) made in the C compiler? Read Ken's 'Reflections on Trusting Trust' to decide who to trust.