[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
About RH consolehelper
|
From: |
Paul Smith |
|
Subject: |
About RH consolehelper |
|
Date: |
Wed, 29 Oct 2003 10:58:34 -0500 |
Hi all;
I'm starting a new thread on this. It seems like Red Hat's
consolehelper has some nice features. Some parts of it I don't like,
and it doesn't support sudo either, so there's obviously room for
improvement.
Anyway, you can start to read about how it works here:
http://www.die.net/doc/linux/man/man8/consolehelper.8.html
You can follow the links to read about userhelper and pam_console.
The code is in the usermode RPM package and it's under the GPL so you
can get ; for example:
http://rpmfind.net//linux/RPM/rawhide/1.0/i386/Fedora/RPMS/usermode-1.69-1.i386.html
I'm definitely no guru about PAM, but in general this is how it works:
For any application that you want to run with extended privileges, you
move it into /sbin (typically) and replace it with a symlink that points
to the consolehelper application.
The consolehelper application will get the proper privileges (see below)
and invoke the program by looking at argv[0] to find the "real" program
name. I think (but I could be wrong and again I don't know much about
PAM) that it doesn't use su at all, because PAM allows it to work
properly somehow.
If you are running in a graphical mode (DISPLAY is set, presumably),
consolehelper will invoke consolehelper-gtk to actually request the
password.
consolehelper apparently invokes "userhelper -w" to do its work. I
believe that the userhelper setup uses the pam_console.so PAM plugin to
do its actual work.
OK. So, some thoughts on this:
* I like the fact it integrates with and uses PAM. That's cool
because it leaves the actual work of authentication, etc. to a
well-known, trusted toolkit rather than having us reinvent our own.
* I don't necessarily like the consolehelper idea: it means that you
can only invoke tools which have previously been set up: you have to
put the tool somewhere else, make the symlink, and set up the entry
for that tool in the /etc/pam.d directory. In contrast, gksu allows
you to invoke any tool which is nice.
I don't know if we can reconcile that freedom with PAM though.
* If we can figure out how to do this with PAM, probably we'd want to
have gksu replace consolehelper because consolehelper is limited by
having to create the symlinks, etc. as above: however, userhelper is
a generic tool that accepts any command line so gksu could invoke
userhelper with a command line.
* None of the man pages describe how the "password remember" feature
is accomplished: is that part of consolehelper? userhelper? PAM?
It seems like we'll have to read the code to find this info.
* The method for integrating with sudo, which is important to me, is
not really clear in a PAM environment. Maybe it can be done: we
need to know more about PAM I think.
--
-------------------------------------------------------------------------------
Paul D. Smith <address@hidden> HASMAT: HA Software Mthds & Tools
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions---Nortel Networks takes no responsibility for them.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- About RH consolehelper,
Paul Smith <=