Authorizing some users with root password and some with their own passwords
Gökçen Eraslan
gokcen at pardus.org.tr
Wed Jun 18 12:37:15 PDT 2008
Hi,
In Pardus 2008, we heavily use policykit. While adding a
user in installer (YALI) or in user management GUI (user-manager) we ask if
the user that will be added has admin privileges or not.
We want users that have admin privileges can do any action (like installing a
package, deleting a user etc.) using only his/her own password, and the users
do not have admin privileges use the root password to do these actions.
We have tried 2 ways of doing this:
1- Adding a line to PolicyKit.conf like <define_admin_auth group="wheel"/>
and, adding the users we want to give admin privileges to the wheel group.
This has worked fine for users in wheel group, they can do all actions using
their own passwords but, the users that are not in wheel group also, required
to enter password of a user in wheel group although we want them to do
actions by entering the root password, not password of a user in wheel group.
2- Adding lines below:
<match user="hede">
<return result="auth_self_keep_always"/>
</match>
for each user we want to give admin privileges. This time, all actions that
require "auth_admin*", are started to require "auth_self_keep_always". This
is fine, but this rule also overrides the actions that has policy
type "yes". This causes actions do not ask password, to ask users their own
passwords :)
Is there any sane solution for this scenario?
Cheers.
--
Gökçen Eraslan
More information about the hal
mailing list