Default sudo setup (Was: Re: The Future of Fedora.)
Shahms King
shahms at shahms.com
Wed Dec 10 17:07:32 UTC 2003
On Wed, 2003-12-10 at 08:16, Michael K. Johnson wrote:
> On Wed, Dec 10, 2003 at 10:07:43AM -0500, Nathan Fredrickson wrote:
> > Apple handles the root issue an interesting way in OSX. The root
> > account does not even allow logins by default unless you go to the
> > command line and set a password for it. "Admin users" of the system
> > instead get added to an admin group that has sudo privileges. By using
> > sudo instead of su means that the popup password dialogs expect the
> > user's own password instead of the root password.
> >
> > The overall effect of this setup is that the average user does not even
> > know that a root account exists and is simply asked for their password
> > when carrying out important tasks. This sort of scheme is familiar to
> > many users since it is similar to the way some websites like Ebay or
> > Yahoo re-prompt for your password for important operations.
>
> That's definitely a useful idea and worth considering. I have felt
> for a long time that we need to streamline the local experience without
> destroying security; that's why I wrote pam_console.
>
> I think we'd want to do things differently -- using the wheel group
> instead of inventing another group, having a root password by default,
> prompting for root password for users not in the wheel group and for
> their own password for users in the wheel group, but certainly having
> a checkbox for "administrative priviledges" when adding a user graphically
> and acting on that is worth discussion.
>
> Other thoughts?
>
> michaelkjohnson
I like that scheme and I'm pretty sure it can *all* be done using just
sudo and an appropriately clever sudoers file.
Something similar to this might work (assuming the sudo prompt can be
given a nice GUI of course):
#======== /etc/sudoers =======
Defaults passprompt="%U Password:",targetpw
Defaults:%wheel passprompt="%u Password:",!targetpw
%wheel ALL=(ALL) ALL
#=============================
Note, that in testing the above snippet I discovered that the %'group'
notation doesn't work. So the above should do exactly as described
above, but it won't work if you add those lines to the actual sudoers
file and yourself to wheel.
I'm not exactly sure *why* it doesn't work, given
$ groups shahms
shahms : shahms wheel
Is it a bug in sudo? Something in my setup (pam_ldap and nss_ldap?).
Will have to investigate.
Shahms King <shahms at shahms.com>
More information about the fedora-devel-list
mailing list