Configuring Console Access

When normal (non-root) users log in to a computer locally, they are given two types of special permission: they can run certain programs that they would not otherwise be able to run, and they can access certain files (normally special device files used to access diskettes, CD-ROMS, and so on) that they would not otherwise be able to access.

Since there are multiple consoles on a single computer, and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the fight to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.

In contrast, every user who logs in at the console will be allowed to run programs normally restricted to the root user. By default, those programs will ask for the user's password. This will be done graphically if X is running which makes it possible to include these actions as menu items in a graphical user interface. As shipped, the console-accessible programs are shutdown, halt, and reboot.

Disabling Console Program Access

In environments where the console is otherwise secured (BIOS and LILO passwords are set, Ctrl-Alt-Delete is disabled, the power and reset switches are disabled, etc.), it may not be desirable to allow arbitrary users at the console to run shutdown, halt, and reboot.

In order to disable all access by console users to console programs, you should run the command:

rm -f /etc/security/console.apps/*
        

Disabling All Console Access

In order to disable all console access, including program and file access, in the /etc/pam.d/ directory, comment out all lines that refer to pam_console.so. The following script will do the trick:

cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
        

Defining the Console

The /etc/security/console.perms file defines the console group. The syntax of that file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:

 <console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
        

When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0; or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:

<console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
        

Making Files Console-Accessible

In /etc/security/console.perms, there is a section with lines like:

<floppy>=/dev/fd[0-1]*
<cdrom>=/dev/cdrom
<jaz>=/dev/zip
        

You can also add your own lines:

<scanner>=/dev/sga
	

(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)

That's the first part. The second part is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:

<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <cdrom>  0600 root.disk
<console> 0600 <jaz>    0660 root.disk
          

and add a line like:

<console> 0600 <scanner> 0600 root
          

Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.

Enabling Console Access for Other Applications

If you wish to make other applications besides shutdown, reboot, and halt accessible to console users, you will have to do just a little bit more work.

First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there.

Create a link from the name of your application to the /usr/bin/consolehelper application:

cd /usr/bin
ln -s consolehelper foo
	

Create the file /etc/security/console.apps/foo:

touch /etc/security/console.apps/foo
	

Create a PAM configuration file for the foo service in /etc/pam.d/. We suggest that you start with a copy of the shutdown service, then change it if you want to change the behavior:

cp /etc/pam.d/shutdown /etc/pam.d/foo
	

Now, when you run /usr/bin/foo, it will call consolehelper, which, with the help of /usr/sbin/userhelper will authenticate the user (asking for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/shutdown; otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.