GNOME panel and sudo

[Søren Hansen]

man, 18 07 2005 kl. 23:18 +0200, skrev Manu Cornet:
> Right, but as Vincent said, this change will probably go upstream, and 
> we need to find something that will work outside Ubuntu as well.

> I personnally like the USER_IS_ADMIN (or : USER_IS_SUDOER) solution a 
> lot, I think it's a good idea to make this go "system-wide" right now, 
> as it might very well be useful for various other things.

Oh, you misunderstood me. I don't think the gnome-menu code should check
whether or not the user is a member of the admin group. Probably
gnome-session, I think (that way, we're independent of display
managers). gnome-session could then set the USER_IS_ADMIN environment
variable and gnome-menu could use that to decide whether or not to show
the admin entries in the menus..

Since I expect the USER_IS_ADMIN to merely be a binary value (either
you're admin or you're not) it WILL be an approximation. I mean, how do
you define an admin?
* Do you need to be able to run ALL via sudo?
* Or is /bin/su enough?
* How about all commands EXCEPT /bin/su?
* What if you can run only /etc/init.d/apache via sudo?

Different distributions have different "admin" semantics. Ubuntu is
blessed with a simple method of determining whether a user is considered
an admin. Debian for one is not. I don't really know about other
distros.

Anyhow, this solution is the easy, but not quite clean way to do it.
The really clean and cool way to do it involves checking each command to
see if the particular user is allowed to run it. That way, if a menu
entry for restarting apache exists, and a user is allowed to
run /etc/init.d/apache (and nothing else) via sudo, he would see that
menu entry, but not the other sudo-using entries.

-- 
Salu2, Søren.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3191 bytes
Desc: not available
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050719/e3b1fcfc/smime.bin