On Tue, Apr 19, 2005 at 02:19:59PM -0700, Don Russell wrote: > This is already done on other systems (IBM mainframe VM system) and is > very helpful in terms of security... no need to ever share the password > for root (or any other ID). [...] > By extension, such a mechanism could be applicable to the use of "su -". > Instead of prompting for root's password, prompt foe the current user > password, then see if that user is authorized to log on to root. Good idea. In fact, so good that it's already implemented. :) Although it's on a per-executable basis, not per-login. Check out the files in /etc/security/console.apps/, and the man page for "userhelper". (Particularly, look at the USER and UGROUPS variables.) -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>
