PAM Recipe to Authenticate on Either the User's Password or Root's Password

[Les Mikesell]

On Mon, 2006-05-15 at 10:31, Schlaegel wrote:

> > > > It's more program philosophy than a social issue.  When you
> > > > disagree with the author about what the program is supposed
> > > > to do, the source code is the place to start.
> > >
> > > I don't get your meaning. I want to use `sudo` for the purpose it was
> > > written, to execute a command as another user.
> >
> > That's really the purpose of 'su'.  Sudo exists for the case where
> > you don't know the other user's password.  None of the limitations
> > that sudo provides mean much if the user executing it has the
> > option of using su directly or simply logging in as the other
> > user.
> 
> This is the kind of debate I was hoping to avoid, as I think it scares
> away possible solutions.
> 
> The way I see it, there are two camps with views on `su` and `sudo`.
> One camp thinks `su` should be used for system administration and that
> `sudo` should be used by less trusted users or avoided altogether. The
> other camp thinks `su` should be avoided by everyone and that even
> administrators who know the root password should opt to use `sudo`.

I'd add a third camp who thinks that people who can't keep the
passwords straight shouldn't use it at all...  Or that someone
else should very carefully set up passwordless access to the things
they are allowed to do.

> I don't want to argue over who is right, though if you want to debate
> `su` verses `sudo` you can start another thread. My desire is merely
> for a technical answer.

It would take a change to sudo to make it check passwords for
two different users and permit the access either way.  Probably
not a big change since it already knows how to do each separately.

-- 
  Les Mikesell
   lesmikesell at gmail.com