-   Fedora (
-   -   GNOME: Gain privileges using current user's password instead of root's password (

maxkukartsev 08-06-2009 01:16 PM

GNOME: Gain privileges using current user's password instead of root's password
Hello all,

In Ubuntu Linux when I try to launch an application from GNOME that requires root privileges, I receive a prompt asking me to enter my password, not root's password.

So to clarify I'm not talking about doing su/sudo from terminal, but having a dialog box pop up when launching an app from GNOME that requires root privileges.

I've realized this is due to PolicyKit-gnome and /etc/PolicyKit/PolicyKit.conf. Here's a sample:


<config version="0.1">
  <match user="root">
    <return result="yes"/>
  <define_admin_auth group="wheel"/>

Because I happen to be a member of the group wheel, I can enter my password instead of root's to gain root privileges.
I want to have the same behavior in Fedora 11.

I edited the /etc/PolicyKit/PolicyKit.conf file in Fedora 11 to look exactly as above, but I cannot get the authentication to behave like Ubuntu - it works for some applications, and not for others.

For instance, I go to the "Network Connections" window by right-clicking the NetworkManager applet -> "Edit Connections". When I try to edit one of the network interfaces, I get a prompt to enter my password - which is what I want.

But when I go to System->Administration->Network Connections to launch "Network Configuration" window, I get a prompt called "Query" to enter root's password. Same thing happens for System->Administration->Bootloader.

It seems like the "Query" window that prompts me for the root password isn't part of GNOME PolicyKit, but instead some other application, which I cannot find and disable.
So I think that some applications make use of GNOME PolicyKit (e.g. NetworkManager applet) and other applications don't.

How can I make GNOME-based root privilege authentication ask for my password instead of root's, like in Ubuntu?

Thanks in advance,
Max Kukartsev

maxkukartsev 08-06-2009 05:05 PM

Consolehelper vs. PolicyKit
It turns out that the "Query" dialog box that prompts for the root password is a special program called consolehelper.

The system utilities system-network-conf ("Network Configuration Window" as I described previously) are actually symbolic links to /usr/bin/consolehelper, a set-uid application.
After consolehelper is launched it checks the /etc/pam.d directory for a file that matches the symbolic link from which it was called, and invokes PAM.

Also, as stated in the consolehelper man page, another program named userhelper has something to so with it.

So basically I'm asking here, is there any way I can make consolehelper-based apps use the (newer) PolicyKit, as is the case in Ubuntu Linux?

chrism01 08-06-2009 09:09 PM

Can't you just grant 'su -' to your user in the sudoers file?

unSpawn 08-06-2009 09:59 PM


Originally Posted by chrism01 (Post 3634247)
Can't you just grant 'su -' to your user in the sudoers file?

Common sense/privsep/best practice-wise that would be just so utterly wrong I can't understand what makes you mention it. Besides he specifically said he wasn't talking su/sudo.

maxkukartsev 08-07-2009 01:16 AM

Call PolicyKit from PAM?

Originally Posted by chrism01 (Post 3634247)
Can't you just grant 'su -' to your user in the sudoers file?

Besides what unSpawn said, /etc/sudoers pertains to sudo, not su.

Also, I've looked more deeply into the Ubuntu installation GNOME apps to compare with the Fedora one. To my surprise, Ubuntu does not have the GNOME apps that make use of PAM via the consolehelper program as in Fedora. For example, my Ubuntu [Jaunty] installation by default did not come with system-network-config. So this suggests that the consolehelper/PAM root privileges approach is vastly different from using PackageKit (?).

As far as I know, consolehelper handles calling PAM after it finds a corresponding filename for the utility requesting root privileges in /etc/pam.d. All of the /etc/pam.d/system-*-config files refer to /etc/pam.d/config-util:

$ cat /etc/pam.d/config-util

auth sufficient
auth sufficient
auth include system-auth
account required
session required
session optional
session optional

And one of the PAM modules, perhaps, is the one that displays the dialog box prompting to enter the root password.

Then my question really is, is it possible to call PolicyKit from PAM?
If this is possible, GNOME applications that rely on consolehelper and PAM (, such as system-network-config, can instead gain root privileges using PolicyKit, - and asking to enter the current user's password instead of root's.

Nilgiri 02-10-2012 10:46 AM

Did you find a solution?
I'm trying to do the same thing with CentOS 6. Did you figure this out?

All times are GMT -5. The time now is 12:56 PM.