{{tag>Brouillon PAM CA}}
= Notes userhelper - usermode
= userhelper - usermode
Voir :
* https://pagure.io/usermode/
* https://www.linux-magazine.com/content/download/63014/486800/version/1/file/Customizing_the_Root_Password_Window.pdf
* consolehelper
* [[Notes sécurité PAM]]
* https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230431
* https://www.cyberciti.biz/faq/restrict-execution-of-userhelper-to-console-users/
* https://access.redhat.com/articles/1537873
Voir aussi :
* [[notes_sudo_et_sudoers]]
* [[Rootkit pwnkit - local privilege escalation vulnerability pkexec cve-2021-4034]]
usermode contains the userhelper program, which can be used to allow configured
programs to be run with superuser privileges by ordinary users, and several
graphical tools for users:
* userinfo allows users to change their finger information.
* usermount lets users mount, unmount, and format filesystems.
* userpasswd allows users to change their passwords.
sudo /usr/sbin/userhelper -t -w subscription-manager identity
''/etc/security/console.apps/config-util''
USER=root
UGROUPS=wheel
''/etc/security/console.apps/subscription-manager''
USER=root
PROGRAM=/usr/sbin/subscription-manager
SESSION=true
# ls -l /usr/bin/subscription-manager
lrwxrwxrwx. 1 root root 22 Feb 23 07:16 /usr/bin/subscription-manager -> /usr/bin/consolehelper
# grep '^PROGRAM=' /etc/security/console.apps/subscription-manager
PROGRAM=/usr/sbin/subscription-manager
== Test
''/etc/pam.d/sleep''
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
ou
''/etc/pam.d/sleep''
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_warn.so
auth required pam_deny.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
''/etc/security/console.apps/sleep''
USER=root
#UGROUPS=wheel
PROGRAM=/usr/bin/sleep
SESSION=true
#KEEP_ENV_VARS=http_proxy,ftp_proxy
#FALLBACK=yes
/usr/sbin/userhelper -t -w sleep 1