Friday, April 11, 2008

Less password entries on Linux using pam_wheel

So you're running Linux on your desktop. That's pretty cool alright. And for sure you are not logging in as root all the time, but as a regular user, because you are security-conscious, true?

Then this post is for you. Obviously you are very tired of entering the root password every time you want to install or configure something, or when you simply want a rootshell and play god.

Linux features the pam authentication system which lets you plug in modules that take care of authenticating users in specific ways. One such module is pam_wheel. This module restricts root access to users in the wheel group, and also lets those users authenticate without a password.

This opens up a nice possibility of putting our regular user in the wheel group and never having to specify the root password again, while disallowing all other users to become root.

[for OpenSUSE and most other distros]

* Add the line "auth sufficient trust use_uid" to /etc/pam.d/common-auth (or /etc/pam.d/su on other distros)

* Add your username to the group wheel (in /etc/group or via Yast)

* Voila! Now you can use su or sux to become root in a shell without a password or, in Gnome, start YaST without a password (but only as your own user).

* For KDE, this is not enough to start YaST without a password. The program kdesu must be told to use sux by adding the file kdesurc in /opt/kde3/share/config with the following content:

NOW you can start YaST in KDE and it won't ask for a password anymore. Beware that you may not be able to distinguish between privileged and non-privileged graphical programs though. And enjoy a few less password entries each day.

No comments: