Proposing to host system-auth-agent in fdo

Alexander Larsson alexl at redhat.com
Wed Oct 13 19:19:23 EEST 2004


On Wed, 2004-10-13 at 18:07 +0200, Carlos Garnacho wrote:
> On Wed, 2004-10-13 at 10:17 +0100, Thomas Leonard wrote:
> > On Tue, Oct 12, 2004 at 07:05:15PM +0200, Carlos Garnacho wrote:
> > > Hi all,
> > > 
> > > During the past weeks I've been developing system-auth-agent, which
> > > provides an API for running processes with raised privileges, and
> > > allowing to remember which user can do what without being asked for
> > > password, please read the rationale and tell me whether it's worth for
> > > inclusion in fdo :)
> > [...]
> > > Why not sudo?
> > > =============
> > > 
> > > while sudo already does a lot that this proposal does, it's highly
> > > orientated to command line, and really hard to wrap in a GUI-friendly
> > > way, so for adding new rules, the user must trust in the distro doing
> > > the right thing, or adding the new rule by hand. This proposal provides
> > > a simple and flexible replacement for letting users run things as root
> > > and add rules in a GUI way
> > 
> > What problems prevent us from fixing sudo and/or su, instead of adding yet
> > another suid binary?
> 
> In the case of su, having to type root password everytime, and in the
> case of sudo, having to go down to the console to modify (as
> root) /etc/sudoers (asuming you've read the proper manuals and so).
> 
> For example, I, as a laptop user (which has only my user and some
> sporadic users) have to change usually my network configuration, change
> sometimes my time zone, suspend my computer, etc... so this is a
> solution that allows me to say "of course this user can do this!" and,
> at the same time, that's able to scalate to multiuser environments
> without compromising security.

Console-helper is very nice for these sorts of things. It allows the
user currently logged in at the physical console to do these kinds of
things, instead of allowing all users (or all users of some group) to do
it. So, nobody in the group that allows "suspend" on the computer can
log in on the box and suspend it while you're using it. Only the guy at
the console can. And it requires no passwords, ever.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl at redhat.com    alla at lysator.liu.se 
He's a lonely neurotic inventor who hides his scarred face behind a mask. 
She's a wealthy paranoid doctor with a birthmark shaped like Liberty's torch. 
They fight crime! 




More information about the xdg mailing list