Re: Install program

["Michael K. Johnson" <johnsonm redhat com>]

Marc Ewing writes:
>Tom Tromey <tromey@cygnus.com> writes:
>> >> This won't happen.  At least not in grpm.  It'd need to be suid
>> >> root to do that, and there is no way I'm going to do that :-).  If
>> >> you want to install as root, you'll need to su and then run grpm.
>> >> Or, you can implement any policy you like with sudo.
>> 
>> Actually, you can do it without making grpm suid.  The way you can do
>> this is to ask the user for a password (his own if using sudo, root's
>> if using su) and then use `expect' to run the appropriate command
>> (e.g., "sudo rpm -i ...").  Your expect script would send the password
>> the user typed when (if) prompted.
>
>Right, that would work, except that grpm doesn't call rpm.
>It links against librpm and does everything through it.

Not only that, but it wouldn't necessarily work.  With PAM, administrators
can do all sorts of authentication, and simple passwords are only one
thing that might be asked for.  So even for front ends that do call
backend programs, there needs to be something better than expect.

For several utilities that ship with Red Hat Linux, we've got a gtk
front end that calls a very small setuid helper program, and they
talk back and forth to fully implement PAM messages that allow any
PAM configuration to work with a graphical front end.  I can pull
this code out for anyone who wants to do such a thing with other
projects that are done with a similar architecture, might as well
save some work.

I know that not all systems use PAM (yet), but it is a lot easier to
graft "standard password checking" in place of PAM than it is to graft
PAM in place of "standard password checking" because PAM is far more
general.

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development       http://www.redhat.com/~johnsonm/lad/