Usermode request: add patch enabling group membership to control auth user

Matthew Miller mattdm at mattdm.org
Thu Apr 15 20:57:29 UTC 2004


Usermode is the handy little program that makes all of the GUI
administration utilities (and some command line tools too -- it's not picky)
able to prompt for the root password when run as a normal user.

It also has a feature where users can, instead of authorizing as the root
user, authorize as themselves with their own password. 

This is good for things like changing GECOS information, or anything else
where you want the user to demonstrate that they really are who they say
they are rather than just someone who walked up to the console.

However, it's on an all-or-nothing basis -- either everyone must give the
root password for a given program, or everyone can run it with their own
password.

My patch implements what I call a "sudo-like" behavior (although it is much
simpler than sudo). Each program, through its console.apps config file, can
have a list of groups whose members are able to authorize as themselves.
Anyone not a member of the approved groups either must give the root
password (or the password of a given user, or is denied access completely
via a new <none> value).

This could allow members of an admin group (traditionally, 'wheel') to have
easy access to all of the administrative tools -- very reasonable for ease
of use on a personal desktop system. Or, you could be more fine-grained, and
give members of a certain group access to 'gtoaster' on a shared CD-burning
system.

This all may sound complicated, but it's not. Usermode already implements
99% of what was needed -- the core patch is about a dozen lines! (There's
also is_group_member and is_grouplist_member helper functions, but those are
very simple too.)

And, it's a very non-evasive change, because if the config files aren't
changed, it defaults to acting exactly like it does now.

See the patch, and the request, at:

<http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=86188>

Any comments/suggestions are very welcome.

And Nalin or whoever else, please consider adding this.

Thanks!

-- 
Matthew Miller           mattdm at mattdm.org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>





More information about the fedora-test-list mailing list