GNOME: Ask for username in addition to password

When I was at World Services for the Blind as part of the IT program in Little Rock, Arkansas two years ago, I was assigned administrative privileges when I was giving a trouble ticket to troubleshoot an issue while in campus during training. I was assigned a normal user named “gpeddie” and later on, when I was in “Desktop Support Technician II” while getting certified in CompTIA Network+, I was given an admin account called “gpadmin.” Desktop Support Technician I covers CompTIA A+ and Desktop Support Technician covers Network+ and Security+, although I only did Network+ at the time and I am Security+ certified as of December 2019 when I was at home at the time.

In Windows, when I was prompted for UAC, I was asked for my admin username and password. This is great, because they can revoke admin privileges if I abuse admin powers. I want to do something similar in Linux as I have LDAP authentication setup for my GNOME 41 desktop.

So here’s a simple scenario. Let’s say I want to add a printer to my desktop. I go into Settings, Printers, and there’s an “Unlock” button. I click in the “Unlock” button and I am prompted for an “Administrator” password, which is a password for a “root” user. Now, I’m going to pretend that I don’t want to give a root password to anyone with separate admin accounts. Here’s what I mean:

  • Grayson Peddie: gpeddie
    Grayson Peddie (Admin): gpadmin
  • John Smith: jnsmith
    John Smith (Admin): jnsadmin
  • Tom Hanks: tmhanks
    Tom Hanks (Admin): tmhadmin

…and so on and so forth.

All the *admin accounts are in the Administrators group as defined in LDAP. The “Administrators” group is in an /etc/sudoers file.

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%Administrators ALL=(ALL) ALL

So, if I need to install something from Arch Linux repository, I first need to login as an admin user, execute commands using sudo, and logout once I’m done. Example:

 $ su gpadmin
Welcome. All activities monitored at all times.
Unauthorized access is strictly prohibited.
$ sudo pacman -S cuda
[sudo] password for gpadmin:
(output omitted)
$ exit

Now that I have provided an example of how I do things, note that this thread is not about authenticating via terminal, so I will repeat parts of the scenario again: “Let’s say I want to add a printer to my desktop. I go into Settings, Printers, and there’s an “Unlock” button. I click in the “Unlock” button and I am prompted…” That right there prompts me for a root password. I want it to prompt for a username and password, which is very similar to that of Windows’ User Account Control. In the Windows world, if you are a user of “Domain Users” group, you must be a member of “Domain Administrators” group in Active Directory in order to gain administrative privileges. That’s where separate administrator accounts come in.

I’m using OpenLDAP in Linux with LDAP Account Manager 7.7 to manage users and groups.

Regardless of Linux distribution (I’m running Arch Linux), how do I configure GNOME such that whenever administrative privileges are required that it be prompted for both username and password in order to continue? Is it the Policy Kit (polkit) that needs to be configured?

I understand what you’re looking to achieve, and to be honest I’m not sure how to achieve that. My first inclination is that privilege escalation in Windows is very different from Linux (as you already know) so by design, it’s not going to work that way. And to do privilege escalation as another user outside of the terminal, you have dbus sessions to contend with, and to make the desktop environment handle it differently would probably require editing gsettings.

I think it can be done, but there’s going to be several layers to solve to achieve it, and probably some combination of dbus, pam, and gconf settings would achieve it.

I apologize for not being more helpful, but I’ll bet this would be a GREAT opportunity for community members to put their heads together and make it a group project.

Who’s up for the challenge?

1 Like

An apology is unnecessary, so yeah I’ve done a lot of searching to no avail. Plus, as I’m not a GNOME/DBus developer, I’m not up for the challenge. :slight_smile:

That seems like it can be done using Ansible, wouldn’t it not? So if I have a couple of desktop machines running GNOME? That is, if there’s a plugin for Ansible. That kind of reminded me of group policies for Windows Server operating systems.