sudo, pam, ssh and Gnome

Aaron Sherman ajs at itasoftware.com
Tue Sep 3 11:02:20 EDT 2002


On Tue, 2002-09-03 at 10:14, TRUCKS, JESSE (AIT) wrote:
> This whole idea defeats several layers of security. Why not just log in as
> root? If you want this level of privileges on a system without using the

Umm... isn't that argument equally used against sudo in the first place?
How does adding a pam interface decrease security?

> root password, recompile sudo with no timeout for access, setup your user in
> the sudoers file with the NOPASSWD option and have your login profile run

Gah! I don't *want* NOPASSWD! On my laptop, I use that option, but I
don't think there's any way to safely communicate NOPASSWD through pam.
I just wanted a way to authenticate myself as "a user who can become
root".

> "sudo -v" to upgrade your privileges, or just run "sudo -s" to give you a
> root shell.

I don't want a root shell. In fact, I don't want a shell at all. Here's
an example: I run the Red Carpet updater under Gnome. It brings up a
dialog to ask for the root password. That dialog uses pam to
authenticate, so there should be a way to authenticate "I'm ajs, a user
who is authorized to run this command as root" via a sudo pam module,
no?

Now, granted I could bring up a shell and then use sudo to run the
updater. In *most* circumstances that will work. In some it won't
(because of X authentication issues).





More information about the sudo-workers mailing list