Discussion:
Intro, and userhelper question
Alastair Neil
2003-11-07 19:22:12 UTC
Permalink
Hello

I am Alastair Neil, a lapsed physicist and currently unix admin for IT&E
labs at George Mason University. I've been using linux since late '93,
slackware and then redhat since 96 or so.

An issue we have with some of our redhat systems is co-management where
I retain root access but create an account with admin privileges. All
easy enough to do with sudo. However, the desire for access to the gui
tools, again relatively easy enough to change the authorised account for
the tools in /etc/security/console.apps, the problem is that now I have
to remember the ladmin account password to access the apps. I would
rather be able to always be granted access with the root password.

It seems there are two ways to approach this, allow userhelper to have a
list of authorised users, possibly selected from a dropdown list in
consolehelper or modify pam to check the root password if the user
password does not match.

I modified pam in RH8 to do this because I liked the ability to unlock
screensavers with the root passwd ala HPUX, but I noted that
xscreensaver in Ximian allows this and as far as I can see it is not a
pam level change.

Does anyone think these modifications are a good idea and if so what is
the preference? Or perhaps in my ignorance I am reinventing the wheel?
--
Dr. Alastair Neil
Unix Systems Administrator
IT&E Labs
George Mason University
(703) 993-3953
Behdad Esfahbod
2003-11-09 06:57:06 UTC
Permalink
I'm pretty sure I have unlocked screen save with root password
once a few months ago. And I'm pretty sure I have not used
anything other than RH&FC. But right now I can't do that.
Anyone knows if there have been such an option that is removed?

behdad
Post by Alastair Neil
Hello
I am Alastair Neil, a lapsed physicist and currently unix admin for IT&E
labs at George Mason University. I've been using linux since late '93,
slackware and then redhat since 96 or so.
An issue we have with some of our redhat systems is co-management where
I retain root access but create an account with admin privileges. All
easy enough to do with sudo. However, the desire for access to the gui
tools, again relatively easy enough to change the authorised account for
the tools in /etc/security/console.apps, the problem is that now I have
to remember the ladmin account password to access the apps. I would
rather be able to always be granted access with the root password.
It seems there are two ways to approach this, allow userhelper to have a
list of authorised users, possibly selected from a dropdown list in
consolehelper or modify pam to check the root password if the user
password does not match.
I modified pam in RH8 to do this because I liked the ability to unlock
screensavers with the root passwd ala HPUX, but I noted that
xscreensaver in Ximian allows this and as far as I can see it is not a
pam level change.
Does anyone think these modifications are a good idea and if so what is
the preference? Or perhaps in my ignorance I am reinventing the wheel?
Nalin Dahyabhai
2003-11-10 14:24:24 UTC
Permalink
Post by Alastair Neil
It seems there are two ways to approach this, allow userhelper to have a
list of authorised users, possibly selected from a dropdown list in
consolehelper or modify pam to check the root password if the user
password does not match.
I modified pam in RH8 to do this because I liked the ability to unlock
screensavers with the root passwd ala HPUX, but I noted that
xscreensaver in Ximian allows this and as far as I can see it is not a
pam level change.
Does anyone think these modifications are a good idea and if so what is
the preference? Or perhaps in my ignorance I am reinventing the wheel?
Allowing unlocking of a user's screen saver using the root password is
unfortunately not a good idea. A naive sysadmin has no way of knowing
whether or not the application which is asking for a password was built
by the user to log that password for later (nefarious) uses.

Cheers,

Nalin

Loading...