[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root



>>>>> "vorlon" == vorlon  <vorlon@netexpress.net> writes:

    vorlon> If you're going to work on this module, would you consider basing it off
    vorlon> of pam_unix rather than pam_pwdb?

Hmmm ... I had assumed that pam_pwdb would be the better alternative,
but I don't know exactly why.  What are the pros and cons of using
each?

Otherwise, it's somewhat "agreed" that the following is required to
allow root (or other user) override in xlock and other pertinent apps:

(1) allow authentication to an arbitrary user, via something like:

    #%PAM-1.0
    auth       sufficient   /lib/security/pam_checkuser root
    auth       required     /lib/security/pam_pwdb shadow

(2) it will need a modified version of pwdb_chkpwd - or a similar
    mechanism - in order to allow checking a password of someone other
    than the current uid; and

(3) (still to be determined) it will be based on pam_{unix,pwdb}.

I guess it's better to write a separate module completely instead of
just adding a single option to pam_pwdb such as "otheruser=root"?
That would probably be complicating it too much, and opening that
module up to problems.  However, it wouldn't be trying it
automatically, and the sysadmin would have to activate it manually.
Thoughts on this?

-bill

-- 
William Evans                 < william . evans @ computer . org >



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []