When I was at World Services for the Blind as part of the IT program in Little Rock, Arkansas two years ago, I was assigned administrative privileges when I was giving a trouble ticket to troubleshoot an issue while in campus during training. I was assigned a normal user named “gpeddie” and later on, when I was in “Desktop Support Technician II” while getting certified in CompTIA Network+, I was given an admin account called “gpadmin.” Desktop Support Technician I covers CompTIA A+ and Desktop Support Technician covers Network+ and Security+, although I only did Network+ at the time and I am Security+ certified as of December 2019 when I was at home at the time.
In Windows, when I was prompted for UAC, I was asked for my admin username and password. This is great, because they can revoke admin privileges if I abuse admin powers. I want to do something similar in Linux as I have LDAP authentication setup for my GNOME 41 desktop.
So here’s a simple scenario. Let’s say I want to add a printer to my desktop. I go into Settings, Printers, and there’s an “Unlock” button. I click in the “Unlock” button and I am prompted for an “Administrator” password, which is a password for a “root” user. Now, I’m going to pretend that I don’t want to give a root password to anyone with separate admin accounts. Here’s what I mean:
- Grayson Peddie: gpeddie
Grayson Peddie (Admin): gpadmin - John Smith: jnsmith
John Smith (Admin): jnsadmin - Tom Hanks: tmhanks
Tom Hanks (Admin): tmhadmin
…and so on and so forth.
All the *admin accounts are in the Administrators group as defined in LDAP. The “Administrators” group is in an /etc/sudoers file.
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%Administrators ALL=(ALL) ALL
So, if I need to install something from Arch Linux repository, I first need to login as an admin user, execute commands using sudo, and logout once I’m done. Example:
gpeddie@epcotcenter
~
$ su gpadmin
Password:
Welcome. All activities monitored at all times.
Unauthorized access is strictly prohibited.
gpadmin@epcotcenter
~
$ sudo pacman -S cuda
[sudo] password for gpadmin:
(output omitted)
gpadmin@epcotcenter
~
$ exit
logout
gpeddie@epcotcenter
~
$
Now that I have provided an example of how I do things, note that this thread is not about authenticating via terminal, so I will repeat parts of the scenario again: “Let’s say I want to add a printer to my desktop. I go into Settings, Printers, and there’s an “Unlock” button. I click in the “Unlock” button and I am prompted…” That right there prompts me for a root password. I want it to prompt for a username and password, which is very similar to that of Windows’ User Account Control. In the Windows world, if you are a user of “Domain Users” group, you must be a member of “Domain Administrators” group in Active Directory in order to gain administrative privileges. That’s where separate administrator accounts come in.
I’m using OpenLDAP in Linux with LDAP Account Manager 7.7 to manage users and groups.
Regardless of Linux distribution (I’m running Arch Linux), how do I configure GNOME such that whenever administrative privileges are required that it be prompted for both username and password in order to continue? Is it the Policy Kit (polkit) that needs to be configured?
