On Fri, Apr 16, 2004 at 02:58:27PM +0200, Miloslav Trmac wrote: > On Thu, Apr 15, 2004 at 04:57:29PM -0400, Matthew Miller wrote: > > My patch implements what I call a "sudo-like" behavior (although it is much > > simpler than sudo). Each program, through its console.apps config file, can > > have a list of groups whose members are able to authorize as themselves. > > Anyone not a member of the approved groups either must give the root > > password (or the password of a given user, or is denied access completely > > via a new <none> value). > Shoudn't this be already possible using PAM (e.g. pam_listfile)? A module can change the value of PAM_USER and in that way change the user whose password is requested and verified by modules which are called later, yes. You'd then depend on the application to act appropriately in the case where this happens: it could continue using the PAM_USER setting as the user's name, it could ignore the change and continue on (IIRC what most applications do), or it could flag this as an error (what usermode currently does). The pam_listfile module checks that the PAM_USER is in the list, or is a member of some group in that list, but it never modifies the PAM_USER item, so you can't accomplish what Matthew's describing by using the pam_listfile module. Nalin
