[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-devel] Priviledged Execution

On 11/7/06, Brian Mattern <brian.mattern@gmail.com> wrote:

He still needs a solution to his problem. Namely "How do I let people
configure entrance from a gui without having to touch the command line".

One possibility is to have an "entrance" group that has write
permissions to the config file. Then just require the users that want to
run the config editor to be part of this group.


This is really distro/OS specific as to how the write permissions
should be setup. SELInux settings vary across Linux distros, Solaris
has RBAC, and the choice of groups is going to differ as well. But
using a group is one option distros may use to control permissions.

If entrance is going to present the config option at the login screen,
I think a good option to correctly handle permissions is to use the
config button to set a special session that is only a maximized
version of the config editor. Then the user must authenticate and the
session is launched with their permissions. If they have the
permissions necessary to write the global config, then they can make
the global changes, otherwise they are allowed to save their settings
to a location of their choice. This would also allow regular users to
create test configs which they can run the entrance gui against to see
the effects of their changes before they deploy to the system config.