[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sudo for gnome apps



Am Donnerstag, den 02.07.2009, 13:31 -0700 schrieb Konstantin Svist:
> Hi all,
> 
> Is there a way to make UI apps prompt for sudo password, instead of root
> password?

As already mentioned by Suvayu, we use PolicyKit nowadays. PolicyKit is
way more secure, but it requires changes inside the application. In the
past we used the usermode package which ships a program called
consolehelper. It is legacy now, but still works nicely for your case.

Example: You want to run /usr/bin/foo with root privileges. The new
command will be called foo-root, which only is a symbolic link to
consolehelper:

$ cd /usr/bin
$ ln -s consolehelper foo-root

consolehelper needs to know what to do when called as foo-root, so you
need to create a file called foo-root in /etc/security/console.apps
which could look like this:

USER=root
PROGRAM=/usr/bin/foo
SESSION=true
FALLBACK=true

FALLBACK means that the program is executed as normal user if you do not
enter the root pw. SESSION is needed for graphical stuff that connects
to the X server.

Now we need to define the permissions to execute foo-root. This is
handled by pam. Create /etc/pam.d/foo-root with the following content:

#%PAM-1.0
auth            include         config-util
account         include         config-util
session         include         config-util

This simply inherits the permissions from the system-config-* apps, take
a look /etc/pam.d/config-util for details. You could extent the
privileges by adding some more lines to the pam configuration file:

auth          sufficient      pam_wheel.so trust use_uid

This will allow all users in the group "wheel" to execute foo-root
without entering password. You can specify the group with "group"
parameter, e. g.

auth          sufficient      pam_wheel.so trust use_uid group=users

You can also limit this to a certain user only:

auth          sufficient      pam_wheel.so trust use_uid user=konstantin

If you decide to allow users to execute programs without entering the
password, you should not inherit the permissions from config-util,
because it contains

session       optional        pam_timestamp.so

pam_timestamp caches the root password for a certain time and puts a
lock inside the systray to indicate you have root privileges. So
everbody who is allowed to execute foo-root without password has root
privileges afterwards. In this case do not inherit the config-util file
but copy the lines you need to your pam configuration.

As you can see pam is very powerfull, you can authenticate against all
pam modules there are. For example, you could even authenticate against
an Windows active directory with the pam_smb module. There are no
limits, extend the configuration for your needs. Who needs gksu or
gnome-sudo?

Last but not least: Executing graphical programs as root always is a
security risk. You can accidentally damage your system or somebody could
abuse a programming error in the application to gain root privileges. So
be warned!

Regards,
Christoph



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]