PAM Recipe to Authenticate on Either the User's Password or Root's Password

[Les Mikesell]

On Sat, 2006-05-13 at 23:30, Schlaegel wrote:

> > > I want everyone to avoid 'su', and most users won't know any important
> > > target passwords (like root). Also, which password is required is
> > > inconsistent across linux programs and even across `sudo`
> > > installations, so I want either to work.
> > >
> > > Rather than debate the social issues, I want to know if anyone knows a
> > > technical solution that allows this.
> >
> > It's more program philosophy than a social issue.  When you
> > disagree with the author about what the program is supposed
> > to do, the source code is the place to start.
> 
> I don't get your meaning. I want to use `sudo` for the purpose it was
> written, to execute a command as another user.

That's really the purpose of 'su'.  Sudo exists for the case where
you don't know the other user's password.  None of the limitations
that sudo provides mean much if the user executing it has the
option of using su directly or simply logging in as the other
user.

>  `sudo` supports three
> methods of authentication current user, target user, or PAM. I want to
> see if PAM can authenticate by trying both the current user and the
> target user. What author am I disagreeing with in regards to the
> purpose of their program?

Pam by itself doesn't have a concept of 'current user'.  Something
that wanted to have it check for two different users would have
to call it two different ways.  Sudo could, but I don't see any
way to tell it to.

-- 
  Les Mikesell
   lesmikesell at gmail.com