Allowing a user administrative tasks without roots password

Boszormenyi Zoltan zboszor at freemail.hu
Tue Oct 14 09:46:49 UTC 2003 

Hi,

I have put

auth       sufficient   pam_localuser.so

into /etc/pam.d/printconf-gui, so it looks now:

# cat printconf-gui
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth       sufficient   pam_timestamp.so
auth       sufficient   pam_localuser.so
auth       required     pam_stack.so service=system-auth
session    required     pam_permit.so
session    optional     pam_xauth.so
session    optional     pam_timestamp.so
account    required     pam_permit.so

Now starting 'Printing' from the System Settings menu
does not asks the root password. However, starting
the Print Manager from the panel and editing settings
of a printer still asks. To avoid this the same
modification is needed in /etc/pam.d/redhat-config-printer-gui.
Why is there two pam config file for these? They start the same
task...

But there is a bad security side-effect of this.
The user gains superuser privileges and all tools
from the System Settings menu can be started.
It shouldn't happen.

What I would like is to allow *some* sysadmin tasks
for certain/all users but disallow everything else.

auth sufficient pam_localuser.so   # all local user

or

auth sufficient pam_succeed_if.so USER ingroup printersettings
		# certain users are in printersettings group

What I would like to achieve is to /usr/bin/pam-panel-icon
not appear on the panel for those services that automagically
succeeded. It should still show up when a task asked for a
root password and correctly got it.

Sean Craig írta:
> take a look at 'sudo'.  This is probably what you need.
> regards
> 
> Sean Craig
> 
> 
> Louis Garcia wrote:
> 
>> I was wondering if it was possible to create a root like account but
>> having it locked. This way you can control who has access to what
>> without having to give up roots password.
>>
>> Lets say you allow users to change the clock. They call up the Date &
>> Time capplet but instead of giving roots password they give this new
>> account password. So now a user can modify the time but not be able to
>> log in as root and do horrible thinks.
>>
>> Is this doable, or is more complicated? Maybe ACL would be better for
>> this.
>>
>>
>> --Lou
>>

-- 
Best regards,
Zoltán Böszörményi

---------------------
What did Hussein say about his knife?
One in Bush worth two in the hand.

More information about the test mailing list