Usermode request: add patch enabling group membership to control auth user
Nalin Dahyabhai
nalin at redhat.com
Fri Apr 16 18:30:38 UTC 2004
On Fri, Apr 16, 2004 at 02:58:27PM +0200, Miloslav Trmac wrote:
> On Thu, Apr 15, 2004 at 04:57:29PM -0400, Matthew Miller wrote:
> > My patch implements what I call a "sudo-like" behavior (although it is much
> > simpler than sudo). Each program, through its console.apps config file, can
> > have a list of groups whose members are able to authorize as themselves.
> > Anyone not a member of the approved groups either must give the root
> > password (or the password of a given user, or is denied access completely
> > via a new <none> value).
> Shoudn't this be already possible using PAM (e.g. pam_listfile)?
A module can change the value of PAM_USER and in that way change the
user whose password is requested and verified by modules which are
called later, yes. You'd then depend on the application to act
appropriately in the case where this happens: it could continue using
the PAM_USER setting as the user's name, it could ignore the change and
continue on (IIRC what most applications do), or it could flag this as
an error (what usermode currently does).
The pam_listfile module checks that the PAM_USER is in the list, or is a
member of some group in that list, but it never modifies the PAM_USER
item, so you can't accomplish what Matthew's describing by using the
pam_listfile module.
Nalin
More information about the devel
mailing list