GNOME: Gain privileges using current user's password instead of root's password
In Ubuntu Linux when I try to launch an application from GNOME that requires root privileges, I receive a prompt asking me to enter my password, not root's password.
So to clarify I'm not talking about doing su/sudo from terminal, but having a dialog box pop up when launching an app from GNOME that requires root privileges.
I've realized this is due to PolicyKit-gnome and /etc/PolicyKit/PolicyKit.conf. Here's a sample:
I want to have the same behavior in Fedora 11.
I edited the /etc/PolicyKit/PolicyKit.conf file in Fedora 11 to look exactly as above, but I cannot get the authentication to behave like Ubuntu - it works for some applications, and not for others.
For instance, I go to the "Network Connections" window by right-clicking the NetworkManager applet -> "Edit Connections". When I try to edit one of the network interfaces, I get a prompt to enter my password - which is what I want.
But when I go to System->Administration->Network Connections to launch "Network Configuration" window, I get a prompt called "Query" to enter root's password. Same thing happens for System->Administration->Bootloader.
It seems like the "Query" window that prompts me for the root password isn't part of GNOME PolicyKit, but instead some other application, which I cannot find and disable.
So I think that some applications make use of GNOME PolicyKit (e.g. NetworkManager applet) and other applications don't.
How can I make GNOME-based root privilege authentication ask for my password instead of root's, like in Ubuntu?
Thanks in advance,
Consolehelper vs. PolicyKit
It turns out that the "Query" dialog box that prompts for the root password is a special program called consolehelper.
The system utilities system-network-conf ("Network Configuration Window" as I described previously) are actually symbolic links to /usr/bin/consolehelper, a set-uid application.
After consolehelper is launched it checks the /etc/pam.d directory for a file that matches the symbolic link from which it was called, and invokes PAM.
Also, as stated in the consolehelper man page, another program named userhelper has something to so with it.
So basically I'm asking here, is there any way I can make consolehelper-based apps use the (newer) PolicyKit, as is the case in Ubuntu Linux?
Can't you just grant 'su -' to your user in the sudoers file?
Call PolicyKit from PAM?
Also, I've looked more deeply into the Ubuntu installation GNOME apps to compare with the Fedora one. To my surprise, Ubuntu does not have the GNOME apps that make use of PAM via the consolehelper program as in Fedora. For example, my Ubuntu [Jaunty] installation by default did not come with system-network-config. So this suggests that the consolehelper/PAM root privileges approach is vastly different from using PackageKit (?).
As far as I know, consolehelper handles calling PAM after it finds a corresponding filename for the utility requesting root privileges in /etc/pam.d. All of the /etc/pam.d/system-*-config files refer to /etc/pam.d/config-util:
Then my question really is, is it possible to call PolicyKit from PAM?
If this is possible, GNOME applications that rely on consolehelper and PAM (pam_rootok.so), such as system-network-config, can instead gain root privileges using PolicyKit, - and asking to enter the current user's password instead of root's.
Did you find a solution?
I'm trying to do the same thing with CentOS 6. Did you figure this out?
|All times are GMT -5. The time now is 10:21 PM.|