Console

 

Console


 

Disabling All Console Access

The PAM pam_console.so module manages console file permissions and authentication. If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. As root, the following script will do the trick:

cd /etc/pam.d
for i in * ; do
    sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done

 

Defining the Console

The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:

 <console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

When users log in, they are attached to some sort of named erminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:

 <console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1

 

Enabling Console Access for Other Applications

If you wish to make other applications accessible to console users, you will have to do a bit more work.

First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:

  1. Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
     cd /usr/bin
    
     ln -s consolehelper foo

  2. Create the file /etc/security/console.apps/foo:
     touch /etc/security/console.apps/foo

  3. Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
     cp /etc/pam.d/halt /etc/pam.d/foo

Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.

In the PAM configuration file, an application can be configured to use the pam_timestamp module to remember (cache) a successful authentication attempt. When an application is started and proper authentication is provided (the root password), a timestamp file is created. By default, a successful authentication is cached for five minutes. During this time, any other application that is configured to use pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.

This module is included in the pam package. To enable this feature, the PAM configuration file in etc/pam.d/ must include the following lines:

 auth sufficient /lib/security/pam_timestamp.so
session optional /lib/security/pam_timestamp.so

The first line that begins with auth should be after any other auth sufficient lines, and the line that begins with session should be after any other session optional lines.

If an application configured to use pam_timestamp is successfully authenticated from the Main Menu Button (on the Panel), the icon is displayed in the notification area of the panel if you are running the GNOME desktop environment. After the authentication expires (the default is five minutes), the icon disappears.

The user can select to forget the cached authentication by clicking on the icon and selecting the option to forget authentication.

 

Making Files Accessible From the Console

In /etc/security/console.perms, there is a section with lines like:

 <floppy>=/dev/fd[0-1]* \
         /dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
        /dev/mixer* /dev/sequencer \
        /dev/sound/* /dev/beep
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*

You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:

 <scanner>=/dev/scanner /dev/usb/scanner*

(Of course, make sure that /dev/scanner is really your scanner and not, say, your hard drive.)

That is the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:

 <console> 0660 <floppy> 0660 root.floppy
<console> 0600 <sound>  0640 root
<console> 0600 <cdrom>  0600 root.disk

and add a line like:

 <console> 0600 <scanner> 0600 root

Then, when you log in at the console, you will be given ownership of the /dev/scanner device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.


 

Disabling Console Program Access

In order to disable access by users to console programs, you should run this command as root:

 rm -f /etc/security/console.apps/*

In environments where the console is otherwise secured (BIOS and boot loader passwords are set, [Ctrl]-[Alt]-[Delete] is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.

To remove these abilities, run the following commands as root:

 rm -f /etc/security/console.apps/poweroff

 rm -f /etc/security/console.apps/halt"

 rm -f /etc/security/console.apps/reboot

 

The floppy Group

If, for whatever reason, console access is not appropriate for you and you need to give non-root users access to your system's diskette drive, this can be done using the floppy group. Simply add the user(s) to the floppy group using the tool of your choice. Here is an example showing how passwd can be used to add user fred to the floppy group:

 [root@bigdog root]# 
 passwd -a fred floppy
 Adding user fred to group floppy
 [root@bigdog root]#

Now, user fred will now be able to access the system's diskette drive from the console.


 

Home