| Red Hat Linux 7.1: The Official Red Hat Linux Reference Guide | ||
|---|---|---|
| Prev | Chapter 12. Controlling Access and Privileges | Next |
When normal (non-root) users log in to a computer locally, they are given two types of special permissions:
They can run certain programs that they would not otherwise be able to run
They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.
In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff and reboot.
By default, /etc/inittab specifies that your system is set to
shutdown and reboot the system in response to a
ca::ctrlaltdel:/sbin/shutdown -t3 -r now |
Alternatively, you may just want to allow certain non-root users the
right to shutdown the system from the console using
Add a -a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now |
The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you'll create in the next step.
Create a file named shutdown.allow in
/etc. The shutdown.allow
file should list the usernames of any users who are allowed to
shutdown the system using
stephen jack sophie |
According to this example shutdown.allow file,
stephen, jack, and sophie are allowed to shutdown the
system from the console using
For more information on shutdown.allow see the shutdown man page.
In order to disable access by users to console programs, you should run this command as root:
rm -f /etc/security/console.apps/* |
In environments where the console is otherwise secured (BIOS and LILO
passwords are set,
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff rm -f /etc/security/console.apps/halt rm -f /etc/security/console.apps/reboot |
The PAM pam_console.so module manages console file permissions and authentication. (See Chapter 8 for more information on configuring PAM.) If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. The following script will do the trick:
cd /etc/pam.d for i in * ; do sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i done |
The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] |
When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
<console>=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1 |
In /etc/security/console.perms, there is a section with lines like:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/*
<cdrom>=/dev/cdrom* /dev/cdwriter* |
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:
<scanner>=/dev/sga |
(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:
<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root <console> 0600 <cdrom> 0600 root.disk |
and add a line like:
<console> 0600 <scanner> 0600 root |
Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.
If you wish to make other applications accessible to console users, you will have to do just a little bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin ln -s consolehelper foo |
Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo |
Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo |
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo with root permissions.