Changing passwords - re-revisited

There was an interesting question on Twitter after i published my blog entry about assigning the authorization to change passwords to regular users: “Can you change the root password with it?”

The answer is: Yes, you can.

junior@solaris:~$ passwd root
New Password: 
Re-enter new Password: 
passwd: password successfully changed for root

However you don’t get nescessarily root access with it.

junior@solaris:~$ su - root
Roles can only be assumed by authorized users
su: Permission denied

That said, this isn’t a perfect protection, as this user could obviously change the password of a user authorized to use the rule of Solaris. However that user will lose access to his or her account, as you obviously don’t know his password and just can set it to something new.

However there are two important points to keep in mind.