On Tue, 19 Apr 2005 14:19:59 -0700 Don Russell <fedora@xxxxxxxxxxxxxxxxxxxxx> wrote > [...] > However, something I *would like* is a way to log on to one ID but > specifying the password of another. Sounds crazy.... Not really. > but here's how it > works: > > logon to user x "by y" > system prompts for/wants password for user "y" > correct password is entered, authentication success, log on complete. > > User "x" is now logged on with all of user x authority etc, just as if > user x password was used. man sudo? > Then the key part is to authorize who (which y) can actually log on to x. man /etc/sudoers? > This is already done on other systems (IBM mainframe VM system) and is > very helpful in terms of security... no need to ever share the password > for root (or any other ID). > > There is an audit trail showing who logged on to the ID. yeah > Of course originally someone has to log on to root to grant the first > permission... but after that, root never needs to be logged on using > root's password. maybe rpm -i sudo, and then visudo? > By extension, such a mechanism could be applicable to the use of "su -". > Instead of prompting for root's password, prompt foe the current user > password, then see if that user is authorized to log on to root. > > You could get away with not prompting, taking the approach that the user > already logged on, but the prompt is still a good idea in case user y > steps away and a new guy secretly uses "su -"... So, why don't you like sudo? -- Joel Rees <rees@xxxxxxxxxxx> digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** <http://www.ddcom.co.jp> **
