[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAMified login?



Michael K. Johnson:
> Marek Michalkiewicz writes:
> >The shadow su has a more general version of the "wheel group"
> >feature - it allows detailed access control, who can su to which
> >accounts, with the target user's password (default), no password,
> >or the calling user's own password.
> 
> That should *all* be dealt with in modules, not in the program
> calling the modules, IMHO.

Thinking about it more, I am still not yet convinced that
this should be done in a module.  The problem is not just
with getting the old user name (which is no problem), but
sometimes we may need to *authenticate* the current user
instead of the target user (but still use the target user
for everything else: groups, home, shell, etc.).

This feature may be useful for systems with more than one
administrator, so that they don't need to share the same
root password - instead, they use their own password to
su to root.  It was not invented by me, and it was not in
the original shadow suite - the idea came from FreeBSD su
which can be compiled to support a similar feature (they
use the "wheel" group - shadow uses /etc/suauth, which
doesn't even need to be world-readable).  This code was
contributed by Chris Evans.

If it can be done with PAM, no problem, though if the
module is a specialized one, for use by one application
(su), I think there is really not much of a difference
between installing a new module or new application...

Marek



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []