Next Up Previous Contents Index
Configuring Console Access

11.4 Configuring Console Access

When normal (non-root) users log in to a computer locally, they are given two types of special permission; they can run certain programs that they would not otherwise be able to run, and they can access certain files (normally special device files used to access diskettes, CD-ROMS, etc.) that they would not otherwise be able to access.

Since there are multiple consoles on a single computer, and multiple users can be logged into the computer locally at the same time, one of the users has to ``win'' the fight to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.

In contrast, every user who logs in on the console will be allowed to run programs normally restricted to the root user. By default, those programs will ask for the user's password. This will be done graphically if X is running which makes it possible to make these actions menu items from within a graphical user interface. As shipped, the console-accessible programs are shutdown, halt, and reboot.

Disabling Console Program Access
In environments where the console is otherwise secured (BIOS and LILO passwords are set, control-alt-delete is disabled, the power and reset switches are disabled, etc.), it may not be desirable to allow arbitrary users at the console to run shutdown, halt, and reboot.

In order to disable all access by console users to console programs, you should run the command:

rm -f /etc/security/console.apps/*

Disabling All Console Access
In order to disable all console access, including program and file access, in the /etc/pam.d/ directory, comment out all lines that refer to pam_console.so. The following script will do the trick:

cd /etc/pam.d
for i in * ; do
  sed '/[#].*pamconsole.so/s//#/' < i > foo  mv foo i
done

Defining the Console
The /etc/security/console.perms file defines the console group. The syntax of that file is very flexible, so it's possible to edit that file so that these instructions no longer apply. However, the default file has a line that looks like this:

<console>=tty[0-9][0-9]* :[0-9]
.[0-9] :[0-9]

When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0; or a device like /dev/tty0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:

<console>=tty[0-9][0-9]* :[0-9]
.[0-9] :[0-9] /dev/ttyS1

Making Files Console-Accessible
In /etc/security/console.perms, there is a section with lines like:

<cdrom>=/dev/cdrom

You can also add your own lines:

<scanner>=/dev/sga

(of course, make sure that /dev/sga is really your scanner and not, say, your hard drive).

That's the first part. The second part is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to

<console> 0600 <cdrom>  0600 root

and add a line like

<console> 0600 <scanner> 0600 root

Then when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.

Enabling Console Access for Other Applications

If you wish to make other applications besides shutdown, reboot, and halt accessible to console users, you will have to do just a little bit more work.

First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there.

Create a link from the name of your application to the /usr/bin/consolehelper application:

cd /usr/bin
ln -s consolehelper foo

Create the file /etc/security/console.apps/foo

touch /etc/security/console.apps/foo

Create a PAM configuration file for the foo service in /etc/pam.d/. We suggest that you start with a copy of the shutdown service, then change it if you want to change the behavior:

cp /etc/pam.d/shutdown /etc/pam.d/foo

Now, when you run /usr/bin/foo, it will call consolehelper, which with the help of
/usr/sbin/userhelper will authenticate the user (asking for the users password if /etc/pam.d/foo is a copy of /etc/pam.d/shutdown; otherwise, it will do precisely what is specified in
/etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.


Next Up Previous Contents Index