Reset user's password without root

Is there any way to allow non-root users to change other user's password. Specifically, is there a way to grant help desk employees the ability to do password resets. The help desk already can reset Windows passwords, which is easy to delegate out.

These are on a variety of server types, although most on HP-UX. Unfortunately, the applications that run on the server prevents us from using LDAP, so these servers are independent and users forget their passwords. Often. Requiring a server admin who knows the root password, especially in the middle of the night, is a waste of resources.

If it is possible, does it also prevent the user from changing root, like Windows prevents users from changing admin passwords from non-admin accounts.


Solution 1:

Look at sudo:

http://www.gratisoft.us/sudo/

Solution 2:

Add a group called helpdesk and add all heldesk users to it. Then add the following to sudoers file.

%helpdesk ALL=/usr/bin/passwd

Now they can sudo to change passwords but nothing else.

Solution 3:

Given that HP-UX is said to support PAM, I dare to mention the following tentative clean approach to solving this problem here:

use pam_tcb (tcb - the alternative to /etc/shadow), and there'll be users' password files per user -- they can be manipulated without root's rights (in fact, in Owl, passwd isn't setUID root), and you can give the permission to modify the passwords of certain users (and not the other ones, say, "root") to a specific group (by simply modifying the permissions of the shadow files).

But it's not a practical ready solution yet probably, because I don't see a port of pam_tcb to HP-UX.