[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: multiple root passwords...



On Thu, 15 Apr 1999 gsri@cobaltnet.com wrote:

> now, SCO unix provides privileged accounts or root accounts that could be
> conferred with capabilities that ordinary user accounts cannot have. could this
> idea be imported to the pam world?  instead of the one pam_wheel module that
> gives either full or no uid=0 access, how about a pam_confer module that
> confers capabilities listed in a config file when a user invokes it like su?
> the access control part of this capability model could be implemented using
> multiple unix groups. (remember that linux restricts the number of supplemental
> groups per user to NGROUPS_MAX (=32) defined in /usr/include/linux/limits.h).

Mmm... capabilities. =) What sort of possibilities for interaction between
capabilities in linux 2.2 and pam are there I wonder? Off the top of my
head:

require pam_cap which_cap

(or something, you can tell I never look in /etc/pam.d)

What I'm driving at is a pam module that gives a 'yay' if you {have, don't
have} the capability, or {do, don't} have it at the right value (are
capabilities more than binary flags? I have no idea), and 'nay' otherwise.
Can anyone see a use for that?

jim
who has no idea how to write such a thing either, but would think it to be
a 3 line patch to pam_accept if one knew what they were doing. =)


-- 
"[T]hey said something to the effect that Linux has 'the tendency not to 
crash.' ... It's like me listing 'the tendency not to murder people' as one of
my good character traits. :-> It seems that people have grown so accustomed to
buggy OS's that when Linux simply does what it's supposed to do, it comes 
across as something new and different." Scott Webster on linux-biz 20 Feb 1999



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []