Fedora This forum is for the discussion of the Fedora Project. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-06-2009, 01:16 PM
|
#1
|
LQ Newbie
Registered: Apr 2009
Distribution: Gentoo, Arch, Slackware
Posts: 22
Rep:
|
GNOME: Gain privileges using current user's password instead of root's password
Hello all,
In Ubuntu Linux when I try to launch an application from GNOME that requires root privileges, I receive a prompt asking me to enter my password, not root's password.
So to clarify I'm not talking about doing su/sudo from terminal, but having a dialog box pop up when launching an app from GNOME that requires root privileges.
I've realized this is due to PolicyKit-gnome and /etc/PolicyKit/PolicyKit.conf. Here's a sample:
Code:
<config version="0.1">
<match user="root">
<return result="yes"/>
</match>
<define_admin_auth group="wheel"/>
</config>
Because I happen to be a member of the group wheel, I can enter my password instead of root's to gain root privileges.
I want to have the same behavior in Fedora 11.
I edited the /etc/PolicyKit/PolicyKit.conf file in Fedora 11 to look exactly as above, but I cannot get the authentication to behave like Ubuntu - it works for some applications, and not for others.
For instance, I go to the "Network Connections" window by right-clicking the NetworkManager applet -> "Edit Connections". When I try to edit one of the network interfaces, I get a prompt to enter my password - which is what I want.
But when I go to System->Administration->Network Connections to launch "Network Configuration" window, I get a prompt called "Query" to enter root's password. Same thing happens for System->Administration->Bootloader.
It seems like the "Query" window that prompts me for the root password isn't part of GNOME PolicyKit, but instead some other application, which I cannot find and disable.
So I think that some applications make use of GNOME PolicyKit (e.g. NetworkManager applet) and other applications don't.
How can I make GNOME-based root privilege authentication ask for my password instead of root's, like in Ubuntu?
Thanks in advance,
Max Kukartsev
|
|
|
08-06-2009, 05:05 PM
|
#2
|
LQ Newbie
Registered: Apr 2009
Distribution: Gentoo, Arch, Slackware
Posts: 22
Original Poster
Rep:
|
Consolehelper vs. PolicyKit
It turns out that the "Query" dialog box that prompts for the root password is a special program called consolehelper.
The system utilities system-network-conf ("Network Configuration Window" as I described previously) are actually symbolic links to /usr/bin/consolehelper, a set-uid application.
After consolehelper is launched it checks the /etc/pam.d directory for a file that matches the symbolic link from which it was called, and invokes PAM.
Also, as stated in the consolehelper man page, another program named userhelper has something to so with it.
So basically I'm asking here, is there any way I can make consolehelper-based apps use the (newer) PolicyKit, as is the case in Ubuntu Linux?
|
|
|
08-06-2009, 09:09 PM
|
#3
|
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,405
|
Can't you just grant 'su -' to your user in the sudoers file?
|
|
|
08-06-2009, 09:59 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by chrism01
Can't you just grant 'su -' to your user in the sudoers file?
|
Common sense/privsep/best practice-wise that would be just so utterly wrong I can't understand what makes you mention it. Besides he specifically said he wasn't talking su/sudo.
|
|
|
08-07-2009, 01:16 AM
|
#5
|
LQ Newbie
Registered: Apr 2009
Distribution: Gentoo, Arch, Slackware
Posts: 22
Original Poster
Rep:
|
Call PolicyKit from PAM?
Quote:
Originally Posted by chrism01
Can't you just grant 'su -' to your user in the sudoers file?
|
Besides what unSpawn said, /etc/sudoers pertains to sudo, not su.
Also, I've looked more deeply into the Ubuntu installation GNOME apps to compare with the Fedora one. To my surprise, Ubuntu does not have the GNOME apps that make use of PAM via the consolehelper program as in Fedora. For example, my Ubuntu [Jaunty] installation by default did not come with system-network-config. So this suggests that the consolehelper/PAM root privileges approach is vastly different from using PackageKit (?).
As far as I know, consolehelper handles calling PAM after it finds a corresponding filename for the utility requesting root privileges in /etc/pam.d. All of the /etc/pam.d/system-*-config files refer to /etc/pam.d/config-util:
Code:
$ cat /etc/pam.d/config-util
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so
And one of the PAM modules, perhaps rootok.so, is the one that displays the dialog box prompting to enter the root password.
Then my question really is, is it possible to call PolicyKit from PAM?
If this is possible, GNOME applications that rely on consolehelper and PAM (pam_rootok.so), such as system-network-config, can instead gain root privileges using PolicyKit, - and asking to enter the current user's password instead of root's.
|
|
|
02-10-2012, 10:46 AM
|
#6
|
LQ Newbie
Registered: Feb 2012
Posts: 1
Rep:
|
Did you find a solution?
I'm trying to do the same thing with CentOS 6. Did you figure this out?
|
|
|
All times are GMT -5. The time now is 04:44 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|