Changing password user that is not logged in

Hi folks. I’m looking for a user-friendly way to change the password of a user that is not currently logged into the machine. Here’s the scenario:

We have a machine that is used by a number of users with a low level of tech savvy. The machine gets logged in as a generic user which works for most purposes, but due to a management requirement, we need Firefox to be run under an account set up for the individual user. I’ve gotten that bit to work fine, but what I can’t figure out is a friendly (GUI) way to allow users to change their own password while the machine is logged in as the generic user.

I would ideally like to use gnome-passwd, but I’ve been unable to figure out how to get it to run for a user other than the logged-in generic user. Any ideas?

if i understand your question you want anyone who wants to log into
one particular machine as (generic) UnknownUser but then not be able
to launch/use firefox without revealing an actual identity (for
tracking purposes, i suppose)…right?

so, you would have already established an actual ID and Password for
all of those folks who might be using that machine as UnknownUser but
should have tracked access via firefox…right?

sure i know how to do that: tell them to log out as UnknownUser and
back in as themselves…or, better yet, tell them to log in as
themselves the first time…

iow, i don’t know how to lock firefox from UnknownUser’s use but make
it unlocked for all the possible actual users with an ID/Pass

hopefully someone who knows how that might be done will speak up
before you get tired of waiting (or decide to just tell all the “low
level of tech savvy” what their ID/Pass is, and how to log in (and out
so the first visitor of the day is ‘tracked’ for an hour at
superp0rn.com hours later just because she is too tech un-savvy to log
out.)


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

Actually, that bit I already have worked out, and it’s working pretty well. The part I need is to give the users an easy way to change their personal account passwords while the machine is still logged in as the generic user. I’d love to use gnome-passwd, but I’ve been unable to work any magic with sudo or environment variables to get it to run for a different user.

glibdud wrote:
> The part I need is to give the users an easy way to change their
> personal account passwords while the machine is still logged in as the
> generic user.

no, that can’t be done because logged in “GenericUser” doesn’t have
the authority to change the password for any non-generic user (even if
that ‘other’ user happens to be him/herself)…

see? try this: Glib walks up to a machine where “GenericUser” is
logged in and uses it…then he wants to change his Glib password
but he can’t because GenericUser is not authorized to change Glib’s
password…

only root can do that…but don’t hope you want to give all non-tech
savvy users the systems root password…

and that wouldn’t help anyway: because IF GenericUser could change
Glib’s password, and then lauched Firefox it would STILL be a firefox
launched by GenericUser…

i’m telling you, if you want to know who is using firefox: make them
log out “GenericUser” and then log in as them self…

to keep the folks from launching Firefox as “GenericUser” i think you
could make a group which includes all users except “GenericUser” (you
could call it Firefox) and set firefox to be executable only by users
in the group Firefox…

an easier way is to forget all of that, not have an open machine that
all can use…and just require all users to log in…


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

No, but since they’ll have to enter in their current password to change it, I don’t see why there couldn’t be something that takes the current password and the new password, uses the current password to su to the specific user and change their password. The generic user doesn’t need the authority, since effectively the specific user is changing it himself.

That’s exactly how I have it set up. Add in a little zenity/gnomesu magic in the Firefox launch script, and I’ve got it set up to give them a nice little user selection and password dialog when they run Firefox, but they can’t run Firefox directly even from the terminal. (It’s probably not completely airtight, but I’m satisfied with it.)

Not really an option for us, unfortunately. It’s a culture thing as much as anything. The more hoops we make them jump through, the less inclined they’ll be to ever change their passwords, and the more inclined they’ll be to work around it (e.g. one guy logs in and then just keeps himself logged in for everyone to use).

glibdud wrote:
> No, but since they’ll have to enter in their current password to change
> it, I don’t see why there couldn’t be something that takes the current
> password and the new password, uses the current password to su to the
> specific user and change their password. The generic user doesn’t need
> the authority, since effectively the specific user is changing it
> himself.

but, the basic security is that genericUser has NO access to otherUser
password…

that is if Glib walks up to genericUser machine and opens Personel
Settings to change Glib’s password he will ONLY be offered the
possibility to change genericUser’s pass…

i mean, do you want Tom to walk up to the genericUser machine and have
access to Glib’s password?

if you want Glib to change his password, have Glib log in…or give
him the root pass…(please don’t, unless you want zero security)…

well, if you figure out a way to allow genericUser to change all users
passwords please don’t put the ‘solution’ here, instead please log the
giant security bug you uncovered…


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

Hi
What your trying to achieve is better controlled on a proxy server, then
any user is asked for username/password when they wish to access the
net. You then only have one machine to keep access logs on etc.

You could write a script using the dialog command to ask for the
username/password to access firefox (apparmour
profile may work also) this will pop up a box for username and
password, see the man page.


Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (i586) Kernel 2.6.27.45-0.1-pae
up 3:25, 2 users, load average: 0.05, 0.20, 0.22
ASUS eeePC 1000HE ATOM N280 1.66GHz | GPU Mobile 945GM/GMS/GME

malcolmlewis wrote:

> What your trying to achieve is better controlled on a proxy server

thank you Malcolm!


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio