Default sudo setup (Was: Re: The Future of Fedora.)
Bill Nottingham
notting at redhat.com
Wed Dec 10 22:33:40 UTC 2003
Michael K. Johnson (johnsonm at redhat.com) said:
> On Wed, Dec 10, 2003 at 09:07:32AM -0800, Shahms King wrote:
> > I like that scheme and I'm pretty sure it can *all* be done using just
> > sudo and an appropriately clever sudoers file.
>
> Not quote -- most of this already goes through userhelper, not sudo,
> so from an infrastructure standpoint making /etc/pam.d/ files for
> stuff that uses userhelper use pam_wheel, appropriately configured.
> I just haven't thought through the pam configuration to make the
> "if in wheel, prompt for user password, otherwise prompt for root
> password" scheme work, which is why I thought there might be a bit
> more work to do.
Actually, with SELinux, you can just define that users
foo/bar/baz are allowed to assume the administrator role;
you then have the role change thing just prompt for the
users password; for the users where this isn't allowed, they
won't be able to assume that role.
Bill
More information about the devel
mailing list