Default sudo setup (Was: Re: The Future of Fedora.)

[Behdad Esfahbod]

On Wed, 10 Dec 2003, Michael K. Johnson wrote:

> On Wed, Dec 10, 2003 at 09:07:32AM -0800, Shahms King wrote:
> > I like that scheme and I'm pretty sure it can *all* be done using just
> > sudo and an appropriately clever sudoers file.
>
> Not quote -- most of this already goes through userhelper, not sudo,
> so from an infrastructure standpoint making /etc/pam.d/ files for
> stuff that uses userhelper use pam_wheel, appropriately configured.
> I just haven't thought through the pam configuration to make the
> "if in wheel, prompt for user password, otherwise prompt for root
> password" scheme work, which is why I thought there might be a bit
> more work to do.
>
> *Most* of the infrastructure is there, though, I think.


It would be nice to have the currect structure in place.  There
are already lots of packages relying on that.  And we sure need
the su and root password ;).  Perhaps all the change we need is
that instead of userhelper/consolehelper/pam_console/... showing
for root password, it accepts any user/password which is in
sudoers.  So, you see a dialog with a user and a password box,
and prompted that please enter an administrative user/pass.  If
you are yourself a sudoer, the user field is already filled with
your own username, otherwise it's filled by root.  The prompt
should remember the username.  Moreover, if you are a sudoer
which does not need to enter a password, it should go on without
asking password, or at most show a dialog about it's going to use
your administrative permissions.

That should be a good idea to write a pam_console wrapper for
yum.  But it should let normal users still query yum.  Same for
rpm.  An smart wrapper can determine when you need root when not.

behdad


> michaelkjohnson
>
>  "He that composes himself is wiser than he that composes a book."
>  Linux Application Development                     -- Ben Franklin
>  http://people.redhat.com/johnsonm/lad/