Quote:
Originally Posted by jnbbender
Sorry, I'll try and be a little clearer. I haven't tried mingetty, it was just an uneducated guess at a solution. To start off I am not concerned with console logins.
My system is a RedHat 6.1 gnome GUI login screen on an pretty standard x86 desktop PC. I apologize I do not know which service runs the standard gnome GUI login screen presented to the user on run level 5.
Typically a person would login AT THE GUI, a gnome session would start and off you go. What I am wondering is - is it possible for one person to login at the gnome GUI (run level 5) AND THEN have the gnome login GUI present itself ONE MORE time so that another user must login before access granted.
Forget everything I said about UID, mingetty, etc.
|
Yes. It is possible.
What you have to do though is setup a "desktop" environment that does nothing but request another login. Once that second "login" occurs then the real desktop can be linked.
To do it though will require a specific login window - and it will not be running as root - so it will be "logged in" as the first user. The second login COULD change UID... but I'm not so sure that access to a GUI would work (the X authorization keys won't match or be available, and if available, then the second login could be spoofed).
This might be implementable by modifying a screen lock utility. The screen lock would then have to start the real GUI rather than just exit.
What you are doing is equivalent to a "captive login" from the command line. The way that works is that the first login has a specific shell to run - and all that shell does is verify a second (different) password before doing an exec of a real shell.
Note the limitation: the "user1" login must always be first, the "user2" password must always be second.
There are weaknesses involved here - 1. root can always bypass it. 2. any bug in the second login could leave user1 with normal access. This can be setup to "fail safe" but it requires a good bit of care in its setup.
BTW, in current RH systems the GUI service is in /etc/X11/prefdm.
In Fedora it changes drastically, and is much less well documented.