Root access removed

Tom 'Needs A Hat' Mitchell mitch48 at sbcglobal.net
Wed May 12 07:28:30 UTC 2004 

On Tue, May 11, 2004 at 08:23:30AM +0200, Chadley Wilson wrote:

> I have been working on a desktop solution for home users, 
> I have discovered from client feed back and support that 90% of all
> calls logged are as a result of simple apps requiring root access.
> 
> So I removed the need to put in passwds on some of the user PCs and they
> are happy.

See /etc/pam.d/su and look for the lines"

   # Uncomment the following line to implicitly trust users in the "wheel" group.
   #auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid

Now add a "sufficient pam_wheel" line to all the common activities in
"/etc/pam.d" then add all your users to group wheel.  Pam and sudo are
rich in stuff to just this end.

To this end I added the "sufficient pam_wheel" line to 'up2date' on my test box.
I was tired of being prompted for something so common on a test box.

> End-users who are new to Linux easy irritated by passwd prompts,
> My one customer made a (I think valid ) comment: He said and I quote 
> "I should be given the option to choose whether or not I want a passwd
> protected system. Why do other people tell me what I need."

He is right, except that he is forgetting the old "be cautious of what you
ask, for fear that you will get it" ....

> OK now in fairness to his situation I can see how this is. He is a stand
> alone box with no access to the internet from home.
> His box drives a Lexmark printer and Primax Scanner. He uses a USB
> memory stick as removable storage and a cdwriter for backup.

Quick question... what is on the memory stick.  If the memory stick
gets stuck in a machine that is on the Internet then there is a chance
that it gets infected.  While the linux box might not suffer the same
ills that the other box does there is no telling what the future will
bring.  He may also be reinfecting his PC.

What if his memory stick had an 'autorun' file on it that did
something it should not?  If he was root equivalent then autorun could
do "anything".  If the stick was auto mounted and ran autorun by
default .... goodness.

> So I did the same on my PC and guess what, there is a huge difference in
> performance. 
> Why would that be? 

It is unclear what the problem is from what you have given us.
One thing that the OS must do is authenticate almost anything.
i.e. authentication may be hobbled by your change.

If the first check for access fails because of how you changed things
then the next method for authentication would be checked etc.  Some
will fail quickly and some will just time out.   

Can you be more 'precise' with regard to how you changed things.




-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.

More information about the fedora-list mailing list