[Sugar-devel] Some questions about "root" and "olpc" logins.

Ajay Garg ajay at activitycentral.com
Sat Mar 17 06:42:00 EDT 2012

Previous message: [Sugar-devel] Some questions about "root" and "olpc" logins.
Next message: [Sugar-devel] Some questions about "root" and "olpc" logins.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Paul, Alan, Martin, James.

Well, I guess the "only-allow-wheel-group-users-to-switch-to -su" was the
thing that I had missed out; now everything seems to fall in place ::

======================================
b.
If I add  password for "root"; and both "root" and "olpc" are part of
"wheel" group, then :

   (i)  on os883.img, doing "su -" from "olpc" login DOES NOT ask for the
"root" password.
   (ii) on my F14 machine, doing "su -" from "olpc" login DOES ask for the
"root" password, and authentication is successful upon entering the correct
root-password.

What is the reason for this difference in behaviour?
=======================================

Case b. (i) is explained, since "olpc" is in "wheel" group, so it is
allowed to "su"; moreover since there is the line
"auth            sufficient      pam_wheel.so trust use_uid"
"in /etc/pam.d/su", thus "wheel" group users need not be asked for password.

=======================================
c.
If I add password for "root", and only "root" is part of the "wheel" group,
then :

   (i)  on os883.img, doing "su -" from "olpc" login DOES ask the
root-password, but the authentication is NEVER successful, no matter what
password is entered.
   (ii) on my F14 machine, doing "su -" from "olpc" login DOES ask for the
"root" password, and authentication is successful upon entering the correct
root-password.
========================================

Now, since "olpc" is not a part of "wheel" group, thus, it cannot "su",
come what may ....

I commented out the line (as suggested by James) ::
auth           required        pam_wheel.so use_uid
in "/etc/pam.d/su",

and now, it rightfully asks for root-password, and upon entering the
correct password, authrorizes the entry into the zone :)

Thanks everyone.

Regards,
Ajay

On Sat, Mar 17, 2012 at 3:27 AM, James Cameron <quozl at laptop.org> wrote:

> On Sat, Mar 17, 2012 at 12:40:11AM +0530, Ajay Garg wrote:
> > Hi all.
> >
> > I just compared the "root" and "olpc" logins functioning on os883.img,
> > and my F14 laptop; and I am curious about the following things ::
> >
> > a.
> > Why is "root" login not protected by a password on os883.img ?
>
> We have always done this with OLPC builds.  If I recall correctly, the
> basis for it was that the learner always is in control of their own
> machine, it is always with them, and the learner is allowed to damage
> the software and lose their data in order to learn.
>
> This ties in with the OLPC Core Principles of Child Ownership and Free
> and Open Source.
>
> > b.
> > If I add  password for "root"; and both "root" and "olpc" are part of
> "wheel"
> > group, then :
> >
> >    (i)  on os883.img, doing "su -" from "olpc" login DOES NOT ask for the
> > "root" password.
> >    (ii) on my F14 machine, doing "su -" from "olpc" login DOES ask for
> the
> > "root" password, and authentication is successful upon entering the
> correct
> > root-password.
> >
> > What is the reason for this difference in behaviour?
>
> olpc-os-builder.git:modules/base/kspost.10.core.inc
>
> # allow sudo for olpc user
> echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
>
> # Only allow su access to those in the wheel group (#5537)
> sed -i -e '1,6s/^#auth/auth/' /etc/pam.d/su
>
> > c.
> > If I add password for "root", and only "root" is part of the "wheel"
> group,
> > then :
> >
> >    (i)  on os883.img, doing "su -" from "olpc" login DOES ask the
> > root-password, but the authentication is NEVER successful, no matter what
> > password is entered.
> >    (ii) on my F14 machine, doing "su -" from "olpc" login DOES ask for
> the
> > "root" password, and authentication is successful upon entering the
> correct
> > root-password.
> >
> > What is the reason for this difference in behaviour?
>
> Same as above.
>
> > It might very well be a design decision; just my bad that I am unaware
> > of it :|
>
> ;-)
>
> --
> James Cameron
> http://quozl.linux.org.au/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20120317/3573c1d4/attachment-0001.html>

Previous message: [Sugar-devel] Some questions about "root" and "olpc" logins.
Next message: [Sugar-devel] Some questions about "root" and "olpc" logins.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Sugar-devel mailing list