My guess is that, when you run startx
, you don't have an active ConsoleKit session. See e.g. Set up PolicyKit permissions in the Arch Linux wiki entry for NetworkManager. It shows you how to use ck-launch-session
in your ~/.xinitrc
to make sure you have a proper CK session.
You also need to make sure that PolicyKit permissions are right, although they're probably already fine if things work from inside a Gnome session.
If the command ck-list-sessions
shows a difference between using runlevel5.target
versus runlevel3.target
+startx
, then this is probably your issue.
See also:
Administration and Privilege at the bottom of the Network Manager Configuration page.
I don't recommend that you follow what these say without understanding what they're doing, since it's not necessarily clear how they relate to Fedora, but they might be useful reading:
This Ubuntu bug: If 'startx' is run from within a text console, ConsoleKit session is not marked 'active'
This Debian mailing list post that has some details about changing policykit/consolekit permissions: Re: What is the right way to use consolekit with startx?
The major difference between sudo
and su
is the mechanism used to authenticate. With su
the user must know the root
password (which should be a closely guarded secret), while with sudo
the user uses his/her own password. In order to stop all users causing mayhem, the priviliges discharged by the sudo
command can, fortunately, be configured using the /etc/sudoers
file.
Both commands run a command as another user, quite often root
.
sudo su -
works in the example you gave because the user (or a group where the user is a member) is configured in the /etc/sudoers
file. That is, they are allowed to use sudo
. Armed with this, they use the sudo
to temporarily gain root
privileges (which is default when no username is provided) and as root
start another shell (su -
). They now have root
access without knowing root
's password.
Conversely, if you don't allow the user to use sudo
then they won't be able to sudo su -
.
Distros generally have a group (often called wheel
) whose members are allowed to use sudo
to run all commands. Removing them from this group will mean that they cannot use sudo
at all by default.
The line in /etc/sudoers
that does this is:
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
While removing users from this group would make your system more secure, it would also result in you (or other system adminstrators) being required to carry out more administrative tasks on the system on behalf of your users.
A more sensible compromise would configure sudo
to give you more fine grained control of who is allowed to use sudo
and who isn't, along with which commands they are allowed to use (instead of the default of all commands). For example,
## Allows members of the users group to mount and unmount the
## cdrom as root
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
(only useful with the previous %wheel line commented out, or no users in the wheel
group).
Presumably, distros don't come with this finer grained configuration as standard as it's impossible to forecast what the admin's requirements are for his/her users and system.
Bottom line is - learn the details of sudo
and you can stop sudo su -
while allowing other commands that don't give the user root
shell access or access to commands that can change other users' files. You should give serious consideration to who you allow to use sudo
and to what level.
WARNING: Always use the visudo
command to edit the sudoers
file as it checks your edits for you and tries to save you from the embarrassing situation where a misconfigured file (due to a syntax error) stops you from using sudo
to edit any errors. This is especially true on Debian/Ubuntu and variants where the root
account is disabled by default.
Best Answer
If your system uses PAM, the login denial when
/etc/nologin
exists is triggered by thepam_nologin
module.You can skip the
pam_nologin
invocation for users matching certain criteria withpam_succeed_if
. For example, if you want to allow users in theadm
group to log in on a text console even if/etc/nologin
exists, add the following line to/etc/pam.d/login
just before the line withauth requisite pam_nologin.so
: