PAM and Device Ownership


Red Hat Linux allows the first privileged user to log in on the physical console of the machine the ability to manipulate devices and perform tasks normally reserved for root. This is done through a PAM module called pam_console.so.

Device Ownership

When a user logs into a machine under Red Hat Linux, the pam_console.so module is called by login or by the graphical login programs, gdm and kdm. If this user is the first user to log in at the physical console — called the console user — the module grants ownership of a variety of devices normally owned by root. The console user owns these devices until the last local session for that user ends. Once the user has logged out, ownership of the devices reverts back to their default values.

The devices affected include sound cards, floppy drives, and CD-ROM drives. This allows a local user to manipulate these devices without attaining root, thus simplifying common tasks for the console user. In the file /etc/security/console.perms, you can edit the list of devices controlled by pam_console.so.

Application Access

The console user is also allowed access to any program with a file bearing the command name in the /etc/security/console.apps/ directory. These files do not need to contain any data but must have the exact name of the command to which they correspond. One notable group of applications the console user has access to are three programs that shut off or reboot the system. These are:

  • /sbin/halt

  • /sbin/reboot

  • /sbin/poweroff

Because these are PAM-aware applications, they call the pam_console.so module as a requirement for use. For more information see the man pages for pam_console, console.perms, and console.apps.




Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net