Make consolehelper more liske sudo?

[Matthew Miller]

On Wed, Mar 02, 2005 at 10:08:07AM -0500, Eric Warnke wrote:
> I have unsucessfully been attempting to find out through both
> documentation, testing, and internet sources if I can get consolehelper
> to act more like sudo rather than su.  Right now my problem is that
> there is NO WAY to roll this out to more users as a desktop alternative
> without giving them some power user ability ( printers, date and time,

This may help. As of Fedora Core 3, the "UGROUPS" patch is in usermode. From
the userhelper man page:

  UGROUPS
     A comma-separated list of groups whose members will be  authen-
     ticated as if USER were set to the special value <user>. If the
     invoking user is not a member of one of these groups, the  name
     defined  in  USER  will be used as normal. For example, setting
     UGROUPS to wheel and USER to root allows members of wheel (tra-
     ditionally  used for administrative privileges) to authenticate
     with their own credentials and requires other users to  provide
     the root password.

So, for example, if /etc/security/console.apps/system-config-users looks
like this:

  USER=root
  PROGRAM=/usr/share/system-config-users/system-config-users
  SESSION=true
  UGROUPS=wheel

members of the wheel group will be able to authenticate with their own
passwords, and others will need the root password.

We've made this the default for all of the system-config-* apps here at BU
for several years with good results; it might be nice to also make it the
default in future versions of Fedora. (Although this is a pretty big default
security policy change, it *is* basically the traditional meaning of the
"wheel" group.)




Caveat: I just noticed that the little "keys" gnome-panel icon doesn't work
with this, and I'm trying to figure out what should be done about that.

-- 
Matthew Miller           mattdm at mattdm.org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>