There are some use cases where utilizing another account to modify privileged user passwords would be beneficial.
1. In order to avoid both accidental and intentional password changes that may block other users from sharing a privileged account a company may institute security policies which disable these accounts from being able to simply change their own passwords.
2. In cases of some form of unforeseen events or disaster a server containing the userstore or Active Directory may need to be restored from an earlier backup which effectively rolls back the passwords of many accounts. In this case only having to manually synchronize a single or a few accounts to allow PAM to automatically synchronize
Each Unix and Linux version can employ different methods of security including RBAC rules to control or limit which users can change another user's password using the passwd command. As of the time of writing this article all the major versions of unix require using the root account or the root role account to utilize the passwd command from a command prompt without utilizing elevated permissions through a command like sudo .
PAM's default implementation of managing Privileged Accounts on Unix is based on the passwd command using ssh access to the device. The use of other tools provided by the operating system or other third party applications to assist in changing another users password, like chpasswd and smit, or the use of non-local, like NIS or AD, integrated user databases is not discussed in this document.
The most common method of privileged elevation is through use of the sudo command to pass root rights to a non-root user if properly configured in the sudoers file but this can be customized in the Target Application by modifying the Privileged Elevation Command under the Script Processor tab.The command pbrun can replace the sudo command.
# User privilege specification
pamrotate ALL=(ALL:ALL) ALL # give this user all root rights including passwd
pamrotate ALL=(ALL) PASSWD:/usr/bin/passwd # give only the passwd command rights to this user through sudo and require a password
pamrotate ALL=(ALL) NOPASSWD:/usr/bin/passwd # give only the passwd command rights to this user through sudo and do not require a password
[[email protected] ~]$ sudo passwd root
[sudo] password for pamrotate:
Changing password for user root.
Retype new password:
passwd: all authentication tokens updated successfully.
[[email protected] ~]$