Home / server / Questions / 205598
Accepted
ErebusBat
Asked: 2010-11-25 07:37:33 +0800 CST

How to tweak Gnome user elevation in RHEL/CentOS

  • 772

So I am attempting to tweak the way GNOME authenticates a desktop user for privileged applications. Out of the box it asks for the root password. For my deployment this is undesirable and I want it to re-prompt the user for their password and only allow them access if they are in a certain group (wheel).

I have made some progress. If a file exists in /etc/security/console.apps with the name of the service attempting to be ran (for example pirut the package manager) then GNOME will ask for a password and elevate the program. Here is the pirut file:

USER=root
PROGRAM=/usr/sbin/pirut
SESSION=true
KEEP_ENV_VARS=http_proxy,ftp_proxy

If I comment out / remove the USER=root line then I will be prompted for the user I am currently logged in as, which is what I want. The problem is that as long as the user knows their password then it will launch, so even users not in my group can launch privileged applications.

A man console.apps is relevant; however useless:

The /etc/security/console.apps/ directory should contain one file per application that wishes to allow access to console users. The filename should be the same as the servicename, and the contents are irrelevant; the file may be a zero-length file. The application that the file is used by is free to specify the contents in any way that is useful for it.

My question: how do I tell GNOME/ConsoleHelper that the user must also be in a specific to allow execution?

centos redhat authorization

1 Answers

  1. Best Answer

    What you want to do for consolehelper is put UGROUPS=wheel in the console.apps files. (You don't need to change what's there already, and usually shouldn't.) And then add the corresponding users to the wheel group. Then, members in that group will be prompted to auth-as-self, while other users will still auth-as-root. (A while ago, I needed this same functionality, so I wrote it and got the patch upstreamed. Open source is awesome.)

    This is documented in man userhelper.

    On newer distributions — current Fedora and RHEL6 — consolehelper is being phased out in favor of PolicyKit (a.k.a. polkit). This has a different configuration scheme, but can also do the same thing. See man pklocalauthority for details on that, but the summary is: put files in /etc/polkit-1/localauthority/50-local.d with contents like:

    [Wheel-Group Permissions]
Identity=unix-group:wheel
Action=org.something.seedocs.*;more.actions.*;whatever.you.want.*
ResultAny=auth_self

    And, finally, you can uncomment the %wheel ALL=(ALL) ALL line in /etc/sudoers. (This may become the default in Fedora 15.)

    • 5