[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root



On 3/12/99 Thomas Meinders wrote:

thank your very much for your very informative answer. Your explanation
really made sense so I tried it and it worked. The only problem for me is,
that I am not willing to always retune all of my installed machines after
installation.

This is certainly an annoying issue. All I could really suggest would be to write a small shell script to automate this procedure. you still have the problem of needing to redo this everytime you update any of those utilities. and this assumes the redhat passwd utilities do not go around resetting the permissions.


I expect Redhat to do a better job on this.

not working for redhat I could not say why they seem to have missed this issue.


In my opinion
they should really go ahead and adopt the solution of Debian or even come
up with something better.

The Debian solution is the fastest way of working around this problem and since it is only required for 1) special case programs like xlock that need to verifiy the root password and 2) non PAM compliant apps that do not do any passwd file maintenence.


the only other solution I can think of is to create either a new PAM module/helper program that will verify the calling user's password and the root password. this module could be used only for programs that require it such as the *locks

modifying the main pam_unix and pam_pwdb helpers to always check root's password would not be a good solution since it would almost effectively unshadow the root password.

It is not acceptable to have a system where I
can't unlock a screen locked by a user. Sure, I could do a login on the
console and kill the users xlock process, but this is not the way I expect
a LINUX system to do a good job for me.

and in the case of vlock if a user runs vlock -a your only recourse is to login remotely to regain access. or reboot the machine uncleanly...


I am interested in hearing the opinions of the pam folks, is it better to just use the shadow group for these special case utilities or would a pam based solution be better?


-- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []