Am Donnerstag, den 02.07.2009, 13:31 -0700 schrieb Konstantin Svist: > Hi all, > > Is there a way to make UI apps prompt for sudo password, instead of root > password? As already mentioned by Suvayu, we use PolicyKit nowadays. PolicyKit is way more secure, but it requires changes inside the application. In the past we used the usermode package which ships a program called consolehelper. It is legacy now, but still works nicely for your case. Example: You want to run /usr/bin/foo with root privileges. The new command will be called foo-root, which only is a symbolic link to consolehelper: $ cd /usr/bin $ ln -s consolehelper foo-root consolehelper needs to know what to do when called as foo-root, so you need to create a file called foo-root in /etc/security/console.apps which could look like this: USER=root PROGRAM=/usr/bin/foo SESSION=true FALLBACK=true FALLBACK means that the program is executed as normal user if you do not enter the root pw. SESSION is needed for graphical stuff that connects to the X server. Now we need to define the permissions to execute foo-root. This is handled by pam. Create /etc/pam.d/foo-root with the following content: #%PAM-1.0 auth include config-util account include config-util session include config-util This simply inherits the permissions from the system-config-* apps, take a look /etc/pam.d/config-util for details. You could extent the privileges by adding some more lines to the pam configuration file: auth sufficient pam_wheel.so trust use_uid This will allow all users in the group "wheel" to execute foo-root without entering password. You can specify the group with "group" parameter, e. g. auth sufficient pam_wheel.so trust use_uid group=users You can also limit this to a certain user only: auth sufficient pam_wheel.so trust use_uid user=konstantin If you decide to allow users to execute programs without entering the password, you should not inherit the permissions from config-util, because it contains session optional pam_timestamp.so pam_timestamp caches the root password for a certain time and puts a lock inside the systray to indicate you have root privileges. So everbody who is allowed to execute foo-root without password has root privileges afterwards. In this case do not inherit the config-util file but copy the lines you need to your pam configuration. As you can see pam is very powerfull, you can authenticate against all pam modules there are. For example, you could even authenticate against an Windows active directory with the pam_smb module. There are no limits, extend the configuration for your needs. Who needs gksu or gnome-sudo? Last but not least: Executing graphical programs as root always is a security risk. You can accidentally damage your system or somebody could abuse a programming error in the application to gain root privileges. So be warned! Regards, Christoph -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
