I've been digging through a lot of PAM stuff to come up with a way of emulating W2k "Power Users". I'm not a Windows user, but I'm moving a number of my developers from Windows to RH9 and they want to have permission to do some admin on their boxes, like they did as Win2k Power Users. Normally, I would just give them root pw so they can run consolehelper enabled admintools, but our Win2k centric IT dept. wants to restrict what they can do (to some extent), and doesn't want them knowing the root password. I setup sudo for them, but want them to be able to used consolehelper tools from the menus (which prompts for the root). I don't want to setup any of the xsu/gsu/gnome-sudo tools, we try to keep these boxes close to the RH9/XD2 original setup. Is there a way to allow then to use their passwords in consolehelper-gtk along the same idea as sudo? As a stop gap I added then to the wheel, created an /etc/pam.d/system-config: #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_timestamp.so auth sufficient pam_wheel.so trust use_uid auth sufficient pam_stack.so service=system-auth session required pam_permit.so session optional pam_xauth.so session optional pam_timestamp.so account required pam_permit.so then changed the appts they need, like redhat-config-time, to be: #%PAM-1.0 auth required pam_stack.so service=system-config account required pam_stack.so service=system-config session required pam_stack.so service=system-config This prevents them from needing the root password, but doesn't prompt them at all. I think the prompt is nice to notify them something dangerous is about to happen. So, basically, my question is - Is there anyway to get sudo functionality through pam and consolehelper-gtk? Is the above setup a reasonable solution, given a closed network and trusted users? Thanks! _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
